I can speak only to more recent versions of formmail.pl which, as written, can trivially be caused to fail. Any point of failure is a likely vulnerability-- but none that I could specifically find when I looked at formmail.pl (and none that anyone here in several discussions has been willing to state out loud-- even just saying something like "it has a null string problem" or "there is a buffer overflow issue").

My conclusion (which is not that of a known security expert, or even adept cracker) is that the current version is undesirable for many reasons, the main one being its likelihood to fail. The last version, however, your CGI script was essentially an open mail relay, since the form submitted by the user was trusted to contain the correct email address to which to send the email. Most recent discussion on securityfocus.com of a formmail exploit -- again, this exploit does not work against the newest version of formmail.pl.

But back to the original question there does appear to be a tool which checks for potential vulnerabilities like having formmail installed. sample log from a survey by that tool posted at securityfocus.com. Note that the tool is checking for all sorts of misconfigurations and scripts known to have (or have had) vulnerabilities.I link to that discussion not because I think it is ethical to use such tools on remote systems under any circumstances (i.e. no matter the legality, I feel this sort of thing is akin to walking through neighborhoods checking for unlocked doors-- just don't do it), but because the logs posted are educational with respect to many potential vulnerabilities any of us doing web work might encounter.

In reply to (ichimunki) Re x 2: Probed for formmail.pl by ichimunki
in thread Probed for formmail.pl by grinder

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.