[thelist] FW: For formmail users: Anonymous Mail Forwarding Vulnerabilities in FormMail 1.9
Shoshannah Forbes
xslf at xslf.com
Thu Jan 24 02:26:11 CST 2002
This might be of interest to some people here...
Regards,
Shoshannah Forbes
<tip author="Shoshannah Forbes">
Want more tips then I can ever post at evolt? Then check out
http://www.websitetips.com/index.html
</tip>
<tip author="Shoshannah Forbes">
Wondering how to make your pages work properly in mozilla? A good start
would be to visit http://mozilla-evangelism.bclary.com/fep/ and go over the
tips.
</tip>
------ Forwarded Message
From: "Ronald F. Guilmette"
Date: Wed, 23 Jan 2002 20:22:27 -0800
To: SPAM-L at PEACH.EASE.LSOFT.COM
Subject: MISC,BLOCK: Anonymous Mail Forwarding Vulnerabilities in FormMail
1.9
A Postscript version of my security advisory for FormMail 1.9 may be
viewed at:
http://www.monkeys.com/anti-spam/formmail-advisory.ps
(I would post the whole thing here, but it's too big.)
SUMMARY: FormMail 1.9 is the functional equivalent of an anonymizing
open mail relay.
An entertaining working demonstration of a 100% client-side Javascript
exploit for older and already well-known FormMail 1.6 version security
flaws may be found at:
http://www.monkeys.com/formmailer/
Use this at your own risk! And read the documentation before doing so!
(If you get busted using it, that's 100% YOUR PROBLEM.)
A revised version of FormMail 1.9 (which I am calling 1.9s) which is
believed to be free of any and all of the security flaws described in
the advisory below is now available at:
ftp://ftp.monkeys.com/pub/formmail/1.9s/
This version is only being supplied for the benefit of those few sites
that are, due to a total lack of programming talent, absolutely and
totally unable to simply remove FormMail and replace it with their own
locally-implemented replacement script. WARNING: This alternative
version of FormMail HAS NOT BEEN CODE REVIEWED AND HAS NOT EVEN BEEN
TESTED. There is NO WARRANTY, either express or implied. I have been
totally unable to even get into contact with the original FormMail
author, so you may be sure that he has not even seen this (1.9s)
version of his script.
My apologies for the length of the advisory, but there was a lot of
stuff to talk about. I hope that this will help future implementors
of ``contact us'' type CGI scripts to avoid a lot of pitfalls.
Regards,
rfg
------ End of Forwarded Message
More information about the thelist
mailing list