[thelist] FW: For formmail users

Keith cache at dowebs.com
Thu Jan 24 13:53:01 CST 2002


Chris

> I'm certainly no perl expert by a long shot. I've set up a version of
> FormMail, modified so that the @recipients list isn't even referenced,
> instead hard coding the To: header in my script. Is this considered
> secure from spammers, or am I being naive?

It really should make no difference whether you hard code a list of
approved recipients into an array (@recipients) or into a scaler or
even onto the To: line. They all close the spam hole of the original
Matt Wright script. That hole picked up the recipient from a hidden
form field on the submitted form and checked to see if the form was
submitted from an approved referrer. The http referrer should never
be used for that kind of authentication since it can be easily faked.

Hard coding the To: header in your script is secure from this exploit
if it is in the format

print MAIL "To: me\@my.isp\n";

If you are using the format

$recipient = "me\@my.isp";
print MAIL "To: $recipient\n";

That would also be secure IF $to_email is found nowhere else on
the script where it might pick up it's value from outside the script.

FWIW, The new version of Matt Wright's formmail.pl (1.9) available
http://www.worldwidemart.com/scripts/formmail.shtml
now closes the earlier spam and environment variable
vulnerabilities and is handily backwards compatable with forms
pointing to earlier exploitable versions of that script. The author of
Shoshannah's forwarded advisory claims on their website to have
found vulnerabilities with Matt's new version 1.9 yet disingenuously
offers no details, whereas http://www.securityfocus.com/bid/2469
reports no bugtraq vulnerabilities for the new Matt Wright 1.9 script.
The author of that advisory also claimed "I have been totally unable
to even get into contact with the original FormMail author..."
Perhaps the email address posted on Matt's site,
mattw at worldwidemart.com, should have been used as it's worked
for me in the past on this very issue.

keith






More information about the thelist mailing list