[thelist] Re: [thelinst] Formail exploits...
John C Bullas
jcbullas at nildram.co.uk
Tue Feb 3 15:00:07 CST 2004
At 20:44 03/02/2004, you wrote
> > Colleagues
> >
> > As neither a user of cgi-bins (I rename them) nor formmail (I use
> BFormMail)
> > these don't worry me.. should they if I had got formmail in a cgi-bin?
> >
> > what could this (virus driven?) exploit do?
>
>More likely a spammer wannabe scanning for formmail or cgiemail,
>which he would then use to send himself mail; if that was delivered
>he would open the spam floodgates. I let one through once and the
>little b-gger kept hammering me for three weeks, even though I never
>let another bit of his stuff through.
>
>They're also crafty as all get out, so even if BFormMail has a
>good track record, be careful that it does not trust ANY user
>input in ANY mail header.
Bformmail is reasonably secure AFAIK as you specify the IP that can call
the script and explicity
define the destination email addresses (the old formail address spoofing
flaw was removed)
http://www.monkeys.com/anti-spam/formmail-advisory.pdf
not totally hack proof but pretty good?
FB
More information about the thelist
mailing list