BugTraq
XSS (Cross Site Scripting) on FormMail.CGI Jan 11 2003 04:50PM
Rynho Zeros Web (hackargentino gmx net) (1 replies)
Re: XSS (Cross Site Scripting) on FormMail.CGI Jan 21 2003 03:04AM
Scott Buchanan (scott buchanan axe net au)

According to the script at: http://www.l-c-u.com.ar/cgi-sys/FormMail.cgi
which says:

FormMail-Clone
This is FormMail-clone, a clone of FormMail.cgi. It is a clean room version
for legal purposes (a less restrictive liscense), but should behave the
exact same way as Matt Wright's Original, but contain none of his code.

it isn't the same script as: http://www.scriptarchive.com/formmail.html

It is nice to see that Matt Wright has finally updated FormMail to be less
SPAM friendly, but there have been a few more secure alternatives around
for a while - there's even a link to 'NMS' FormMail on the Script Archive page.

Rynho Zeros Web wrote:
> #############################################################
>
> Topic: XSS (Cross Site Scripting) on FormMail.CGI
> Version: 1.92
> Released: April 21, 2002
> Manufacturer: http://www.scriptarchive.com/formmail.html
>
> By XyborG - xyborg (at) bigfoot (dot) com [email concealed] - http://www.rzweb.com.ar/
>
> #############################################################
>
>
> Formmai.cgi, it is a utility that serves to send forms by email, among other
> uses.
>
> The operation is simple. To see example:
>
>
> http://www.l-c-u.com.ar/cgi-sys/FormMail.cgi?<script>alert("<center>Sorr
y,this\nis\nthe\nsecurity\nsite?\nNo_lo_Creo\n\nCyervo_Lamos...");</scri
pt>
>
> Duh!
>
> #############################################################
>
> Topic: XSS (Cross Site Scripting) on FormMail.CGI
> Version: 1.92
> Released: April 21, 2002
> Manufacturer: http://www.scriptarchive.com/formmail.html
>
> By XyborG - xyborg (at) bigfoot (dot) com [email concealed] - http://www.rzweb.com.ar/
>
> #############################################################
>

--
regards,

scott buchanan / systems engineer
scott.buchanan (at) axegroup.com (dot) au [email concealed]
axe group 51a hume street crows nest nsw 2065 australia
abn 62 095 107 814 t +61 2 9966 9336
f +61 2 9966 9337

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify axe group.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus