Re: Probed for formmail.pl

Just looks like another less than nice request (probably just trying to spam through). I don't think setting up a honeypot or anything of that sort is at all worthwhile. Personally I wouldn't waste any time on it, just move on to reading the ever exciting 1000+ attempts from various worms ;-)

On a related note, I know there has been much discussion about Matt's scripts and their poor security (amoung other flaws) but I haven't seen any specific examples of how these could be exploited. Can anyone elaborate on what exactly could be done, or are the security problems purely theoretical?

Update: Upon re-reading this, I can see how this post could be misinterpreted. Just to clarify, I'm looking for a general description of where the security problems arise, not specific code to exploit it. Is it anything more than validating the referrer and turning on taint checking couldn't fix?

Comment on Re: Probed for formmail.pl

Replies are listed 'Best First'.
(ichimunki) Re x 2: Probed for formmail.pl by ichimunki (Priest) on Nov 23, 2001 at 19:20 UTC
I can speak only to more recent versions of formmail.pl which, as written, can trivially be caused to fail. Any point of failure is a likely vulnerability-- but none that I could specifically find when I looked at formmail.pl (and none that anyone here in several discussions has been willing to state out loud-- even just saying something like "it has a null string problem" or "there is a buffer overflow issue"). My conclusion (which is not that of a known security expert, or even adept cracker) is that the current version is undesirable for many reasons, the main one being its likelihood to fail. The last version, however, your CGI script was essentially an open mail relay, since the form submitted by the user was trusted to contain the correct email address to which to send the email. Most recent discussion on securityfocus.com of a formmail exploit -- again, this exploit does not work against the newest version of formmail.pl. But back to the original question there does appear to be a tool which checks for potential vulnerabilities like having formmail installed. sample log from a survey by that tool posted at securityfocus.com. Note that the tool is checking for all sorts of misconfigurations and scripts known to have (or have had) vulnerabilities.I link to that discussion not because I think it is ethical to use such tools on remote systems under any circumstances (i.e. no matter the legality, I feel this sort of thing is akin to walking through neighborhoods checking for unlocked doors-- just don't do it), but because the logs posted are educational with respect to many potential vulnerabilities any of us doing web work might encounter.	[reply]
Re: Re: Probed for formmail.pl by jepri (Parson) on Nov 23, 2001 at 12:06 UTC
Yes, the vulnerbility is real. No, we aren't going to write it down here. If you are really interested, set the script up on your own machine and see how hard it is to break. ____________________ Jeremy I didn't believe in evil until I dated it.	[reply]
(ichimunki) Re x 2: Probed for formmail.pl by ichimunki (Priest) on Nov 24, 2001 at 21:00 UTC
I forgot to address part of your question, and wanted to make sure I did. First, you can't validate the referer field. It is set by the client and could easily be forged to the correct value. Taint checking is not a cure-all. It won't keep your program from doing insecure things if your program is designed to do insecure things (like acting as an open relay). It will keep you from accidentally sending user data to the shell or a system process where it can cause a lot of damage-- but it is limited by the logic you use to detaint input. If formmail.pl were truly an open gate to rooting a box, then why hasn't it been done on a large scale? The script is everywhere on low-cost hosting services, and has been around a while. We'd forget all about IIS and Outlook for a while, I'd think...	[reply]