Exploit this formmail.pl for fun and, well, fun. (LONG)

Ok. I'm prepared for major downvotes for even doubting the Monks on this. But it is popular opinion here that Matt's Script Archive (MSA) formmail.pl is "insecure". To me "insecure" means that using this script will cause your web server to become vulnerable to attack of the type which allows access by unauthorized individuals. This is a separate and distinct failing in a script from the lesser affliction "easily broken"-- which simply means that the script can be caused to fail due to programming errors that failed to account for some input.

The code below is, I think, the most recent MSA formmail.pl and even I can see that it is easily broken. But is it insecure? If it is insecure, why is it that there isn't a Code RedHat worm crawling the web looking for pages with forms that submit to a script called formmail.pl? MSA formmail.pl is extremely common, after all.

I will point out some obvious flaws, and artifacts to get the discussion going, but none of these are server-endangering in any capacity that I'm aware of. If they are, the Perl Monks community has an opportunity to make sure that we review and publicize the existence of a secure alternative (perhaps btrott's STAMP), and get it on CPAN. If nothing else, the replies to this post of mine will serve as further information for the curious.

The flaws that I notice:

Does not use CGI. This means that form input has to be hand-parsed. Is this potentially insecure, or is it just trivial to break, resulting in a 500 error or no action for the user?
Relies on system calls to sendmail. It does have the path hardcoded in full for this, and could conceivably point to any MTA. Is this a concern given the next point?
Does not use Taint mode. We all know that taint will prevent accidentally letting the user send unchecked information to the system. It is not a magic bullet, since in using it we still have to decide what to allow, and the strength of our script depends on what we allow.
Does not use -w or strict. These are great for development. But if it could compile under -w and strict, and produce no warnings or halts, then it is safe to take them out right? Note: formmail.pl does not compile under strict. Under -w it only emits one warning. added: as chipmunk points out, these have runtime effects as well, so taking them out in production will not catch certain runtime errors that are part of the benefits of the -w and strict. Once they're there I see no reason to take them out again and wouldn't recommend it, unless you have some BOFH who just won't stand for detailed and descriptive error logs.
Script retains artifacts of the code that made it insecure in the past-- interesting but not useful code that isn't breaking the script, but isn't actually improving its quality. See $ENV{'HTTP_REFERER'}. This used to provide an open relay since it is trivially spoofed, but the newer script also checks for valid recipients, and those cannot be spoofed, since the valid domains for recipients have to be hard-coded into formmail.pl.

In the script's defense, it looks to have been written in a Perl 4 style (at a time when this would have been appropriate). Matt may not be interesting in changing the ability to run this on a Perl 4 machine (does it, in fact, still run on a Perl 4 machine?). While Matt may be overly concerned with backwards compatibility, is his method of staying compatible a security risk?

UPDATE: I have removed the code from Matt's Script Archive and replaced it with this link to formmail.pl. After reading the copyright statement, I felt I was possibly engaging in distribution of the script-- an activity I did not obtain permission to engage in.

Comment on Exploit this formmail.pl for fun and, well, fun. (LONG)

Replies are listed 'Best First'.
Re: Exploit this formmail.pl for fun and, well, fun. (LONG) by chipmunk (Parson) on Aug 07, 2001 at 18:11 UTC
Does not use -w or strict. These are great for development. But if it could compile under -w and strict, and produce no warnings or halts, then it is safe to take them out right? I would have to disagree with that. It's true that -w and use strict provide useful checks at compile time, but they also operate at run time. strict 'refs', which prevents the use of symbolic references, only works at run time. Warnings that occur at run time include 'Use of uninitialized value', 'Filehandle opened only for input', and 'Exiting subroutine via next'. So, if your program compiles without error or warning, that's great, but there may still be bugs that -w and use strict can only report while the program is running.	[reply]
Re: Exploit this formmail.pl for fun and, well, fun. (LONG) by Cirollo (Friar) on Aug 08, 2001 at 00:04 UTC
I sent an email to Matt Wright a few weeks ago, and I included a link to some discussion on Perl Monks regarding the cruftiness of the MSA code. His response said that he would love to rework his scripts, and has even done work on some of them, but other projects have taken up too much of his time (and I'm sure we all know how that feels). Here is an idea: If someone were to create drop-in relacements for any or all of his scripts and send them to him, I think that he would be more than happy to replace the ones on his site, and give credit where credit is due. So, we should stop complaining and start coding ;)	[reply]
Re: Re: Exploit this formmail.pl for fun and, well, fun. (LONG) by runrig (Abbot) on Aug 08, 2001 at 00:44 UTC
There was some project started awhile ago on comp.lang.perl.misc to rewrite Matt's scripts. I don't know how far it got or where it is today. If someone were to create drop-in relacements for any or all of his scripts and send them to him, I think that he would be more than happy to replace the ones on his site, and give credit where credit is due. I doubt it. His scripts provide him with plenty of work from people trying to deploy them. If he fixed them, there'd be alot less work. Frankly, if I were him, I'd be embarrassed to still display them without a large, loud, disclaimer of "Here's some stuff I wrote when I was still in diapers. It needs alot of work to be usable, and I don't actually recommend using it."	[reply]
Re: Exploit this formmail.pl for fun and, well, fun. (LONG) by Mr.T (Sexton) on Aug 09, 2001 at 21:20 UTC
ichimunki, I have a question for you: Why do you feel like bringing up scripts from MSA? It's an old place, and I hope that no one is really still using scripts from there... it's kind of like opening a closet of skeletons... there is no point! :) Maybe it should just be left as it is, because you and all of us already know that it is old, and not secure enough to use in today's internet world of Perl >= 5.xxx... I was just wondering, because perhaps you already knew that this was not the best question in the world, since you said that you were prepared for major downvotes :). Just my opinion. *Mr.T* qw/"I pity da foo' who don't use Perl!"/;	[reply]
(ichimunki) re x 2: Exploit this formmail.pl ... by ichimunki (Priest) on Aug 10, 2001 at 01:33 UTC
MSA formmail.pl is one of the most widely used Perl scripts I know of. If you go shopping for a web host you will frequently see them offering formmail.pl as a way for HTML-only coders to enable their otherwise non-CGI sites to generate email -- this is the only way someone with a non-dynamic site can get feedback. The script archive is not "an old place", it is current. In fact formmail.pl was just updated to patch a security hole less than ten days ago. The simple truth is that this script is in widespread use and a discussion of it is very relevant. We have even had some newer Monks on PM asking about it. Finally, it is a popular mantra here at PM to deride the use of formmail.pl-- some have said that it is insecure, others have said it opens the servers to being "owned". I looked at the script. I saw no such danger with the latest version. And the major security concern with the previous version allowed anyone to use formmail.pl to send email from a server they weren't authorized to use. While I find that to be an important flaw, it is not critical. There is a big difference between an open relay and an "owned" machine. My conclusion was that the script is acceptable-- I made my post to make sure I had all the facts (and I think I've gotten enough of them to reach my conclusion). It just wouldn't be my choice of script to use-- but I can code Perl and make my own script tailored to my exact needs. I have no reason to rely on this since I don't write HTML anymore, I write CGIs and let them do that for me. For those who don't code Perl, I am not going to worry if they want to use this script (the current version).	[reply]
Re: (ichimunki) re x 2: Exploit this formmail.pl ... by Mr.T (Sexton) on Aug 10, 2001 at 01:38 UTC
Wow, sorry for making it sound like I thought I knew what I was talking about! :) I didn't know that MSA is current, I always just thought it was an archive of sorts. Thanks for clearing that up for me! :) *Mr.T* qw/"I pity da foo' who don't use Perl!"/;	[reply]