• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

FormMail Recipient CGI Variable Spamming Vulnerability

FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user. It is written in Perl and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

A vulnerability exists in FormMail which permits a remote user to send anonymous email to arbitrary recipients.

The script is designed to accept variables from any form and mail them to a specified recipient email address.

The script relies on an HTTP variable for this email address, and provides no indication of the original sender (via the CGI interface) in the email.

This can be employed to send anonymous spam or forged e-mails, potentially in large volumes.

It should be noted that FormMail 1.9 is still prone to this issue. FormMail 1.9 employs measures to attempt to validate the legitimacy of the recipient address. However, it has been reported that these measures may be circumvented via cleverly crafted input.