FormMail Anonymous Email/Spamming Vulnerability FormMail Anonymous Email/Spamming Vulnerability

RELEASED: March 14, 2001
AFFECTS: FormMail 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6

- A vulnerability exists in FormMail which permits a remote user to send anonymous email to arbitrary recipients. The script is designed to accept variables from any form and mail them to a specified email address. The script relies on an http variable for this email address, and provides no indication of the original sender (via the CGI interface) in the email.
- This can be employed to send anonymous spam or forged e-mails, potentially in large volumes.
- Workaround: hard-code the desired recipient address into the script, preventing a hostile user from specifying another value.

No comments: