FormMail Anonymous Email/Spamming Vulnerability FormMail Anonymous Email/Spamming Vulnerability
RELEASED: March 14, 2001
AFFECTS: FormMail 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6
REFERENCE: http://www.securityfocus.com/bid/2469
- A vulnerability exists in FormMail which permits a remote user to send anonymous email to arbitrary recipients. The script is designed to accept variables from any form and mail them to a specified email address. The script relies on an http variable for this email address, and provides no indication of the original sender (via the CGI interface) in the email.
- This can be employed to send anonymous spam or forged e-mails, potentially in large volumes.
SAFER
- Workaround: hard-code the desired recipient address into the script, preventing a hostile user from specifying another value.
Interested in Windows, Networking, Cisco, HTML, Powershell, Perl, Outlook, Exchange, Troubleshooting
No comments:
Post a Comment