[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] [OT] [RAQ4] Formmail 1.9

Subject: RE: [cobalt-users] [OT] [RAQ4] Formmail 1.9
From: "Jolley, Carl" <Carl.Jolley@xxxxxxx>
Date: Tue Jun 25 10:53:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

-----Original Message-----
From: Larry Smith [mailto:lesmith@xxxxxxxxx]
Sent: Tuesday, June 25, 2002 10:03 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] [OT] [RAQ4] Formmail 1.9

INRE [cobalt-users] [OT] [RAQ4] Formmail 1.9:
> www.mountainsoftware.co.uk/cgi-bin/formmail.pl is no longer there..
>
> Im *still* seeing the spammer.. does anyone have any suggestions on
> how to close this hole?

While probably _not_ the perfect answer for everyone, my action has been to 
create a "different" formmail.pl that (1) has the recipient changed to 
something else (mail_to, my_addy or something off-wall); (2) hard-coded this

new "recipient" into each version/copy of the script that I need so that the

program will "only" send to that address; (3) test the incoming original 
"recipient" form value to see if it matches what I know is in the form, and 
if _not_ send me (admin) a mail message with the IP address and copy of what

was submitted; [ and (4) here locally add _that_ IP to my deny tables ].

It means you end up having a "formmail" for each local "form" (unique 
recipient), but does mean that you are pretty darn secure from violations of

your forms.

_______________________________________

Over the years, I've made several custom changes to
formmail. Lately after reading some of the papers
about the various  formmail vulnerabilities, I've made
a few more.

Most of the exploit attempts I've seen involve use
of the GET method. This seems to be especially popular
with people who have written scripts to "scan" for 
vulnerable systems looking to get a response from
<web site>/cgi-bin/formmail.pl or formmail.cgi.

I enforce use of the POST method and require that HTTP-REFERER
point to a page on the web-site being served. I also require
that only certain domains be permitted as "recipients", i.e. only
"internal" e-mail addresses. I check for and reject any recipient,
email or real-name field that contains a colon, percent sign or linefeed.
I've implemented a form-id field that maps to a key of a local database
that contains recipient e-mail address information so that people
who look at the HTML source for a form can't see any e-mail addresses.
I also log every formmail "transaction" so that I know the entire
web server enviroment that existed when a form was submitted including
REMOTE-HOST and REMOTE-IP. Any GET request that arrives with a
QUERY-STRING gets a stern warning that the exploit has been detected and
a delayed response several minutes in duration just to slow down the pace
of their scripts. Repeat offenders result in an e-mail to the "abuse"
e-mail address of the associated ISP.

Follow-Ups:
- Re: [cobalt-users] [OT] [RAQ4] Formmail 1.9
  - From: Larry Smith

Prev by Date: RE: [cobalt-users] Help Installing Majordomo
Next by Date: Re: [cobalt-users] newbie with cube 2 problem
Previous by thread: Re: [cobalt-users] Shopping Cart
Next by thread: Re: [cobalt-users] [OT] [RAQ4] Formmail 1.9

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index