[Previous] [Next] [Index]
[Thread]
Re: SECURITY HOLE: FormMail
On Wed, 2 Aug 1995, Paul Phillips wrote:
> In article <DCpnJ9.4Kq@k12.colostate.edu> mattw@alpha.pr1.k12.co.us
> (Matthew M. Wright) writes:
> >My script at:
> >
> >http://alpha.pr1.k12.co.us/~mattw/scripts.htm
> >
> >called FormMail does this exact thing. It works pretty much on any form and
> >you just have to specify the email address of yourself in a hidden field in
> >the form. I don't think that this script has a security whole in it as
> >mentioned in a previous posting about a program called AnyForm. It pipes the
> >information to you in a different way. Of course if there was anyone who
> >wanted to check this I don't think it would hurt.
>
> Okay folks, you know the drill.
>
> It does have a security hole, it has the *exact* same hole that
> AnyForm did, except that it is exploited via open instead of system.
> But a shell by any other name...
>
> Here's the offending line:
>
> open (MAIL, "|$mailprog $FORM{'recipient'}") || die "Can't open $mailprog!\n";
I didn't realize until now that that was a security problem, but now I
see that you can put any text for 'recipient' and screw the works up. We
were using form-mail before, but now we're using webmonitor from NCSA
which seems to prevent this because it uses nicknames in a data file.
Mike.
=============================================================================
Michael Kerr (Webmaster) PHONE: (519) 685-8300 x7364
Victoria Hospital FAX: (519) 685-8305
World Wide Web Development Team http://www.vichosp.london.on.ca
References: