Re: [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem

[flash22@xxxxxxx]

On Tue, 13 Mar 2001, Carrie Bartkowiak wrote:
> http://www.securiteam.com/exploits/FormMail_discloses_environment_variables_
> information.html
> 
> I couldn't get this URL to work but I did back it up to the /exploits and
> was presented with a list of hacks and exploits that frankly just makes me
> want to shut down the server and close up shop. Egads, batman.
> And the bad thing is, they put up the exploit in full source - a hacker's
> dream come true. Would it not be sufficient to say that the exploit does
> this or that by exploiting this or that vulnerability, and not give away the
> actual exploit? IMHO, this site does more to promote hacking and exploiting
> than it does to promote securing your server/site. Full posting of the
> source exploits is nothing less than irresponsible.

That depends on your point of view, if you only expect the author to be
doing fixes, then perhaps yes, but keep in mind this is open source code,
you can fix things yourself, to do this you need to understand how the
exploits work.

You don't really think the hackers don't already have working code before
the security folks figure out what they did do you ? ;)

The link above is from the May 2000 Archives, so it's not like they didn't
give the author time to fix the code and users time to update....

Several people on this list have in the past warned about issues with
form-mail type scripts being usable for spamming in the past, months ago.

You really have to look at free cgi's with a scheptical eye, i have lost
count of how many i have downloaded, look at the code, found several
things i really didn't like from a security point of view , and trashed..

Just the nature of the beast i guess...

gsh