[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Possible spammer or what?

> > Yes, we have a few, with the refers set to only allow from our domain.
>>
>
>Doesn't matter.
>See
>http://www.securiteam.com/exploits/FormMail_discloses_environment_variables_
>information.html

Dan,

You miss one of the more important reasons for removing formmail.pl -

It's actually worse than simply revealing environment variables - imho - at least with only a few vars someone needs to know WHAT to do with them - we found a client site with formmail.pl (v1.6 - courtesy of Matt Wright) on one of our servers - the script had been exploited to send about 5,000 homosexually explicit porn adverts out of the server PER DAY for about a week - we didn't notice for a while, as they were pretty careful to send only 5,000 a day!

The exploit means that using HTTP, formmail.pl can be used to send ANONYMOUS EMAIL FROM YOUR SERVER!!

http://www.google.com/search?q=formmail+exploit yields a few useful pages, but this is one of the better ones:

http://lists.kernelnotes.de/bugtraq/2001-June/000736.html

&

http://www.securityfocus.com/templates/archive.pike?list=1&mid=168177

There are security fixes, but we generally tell clients to use Selena Sol's form_processor.cgi or a version I fixed a couple of minor bugs in, which we make available to them really easily.

In the event we find formmail.pl on one of our machines, we disable it and notify the client.  All our clients are notified of this policy at sign-up.  We simply won't tolerate the script on our servers!

regards

Greg Hewitt-Long
-- 
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158