Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email

[Joel Sing <jsing () ORIGIN NET AU>]

Hi,

>    I did a little playing with FormMail.pl after a run in with a spammer
> abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
> used to spam anonymously.  I found another server with FormMail.pl and
> tried the same exploit to send myself an email and it worked.

This appears to be correct. The current version has a configurable list of
referers that is supposed to prevent the script from being utilized from
unauthorized hosts. However there is an interesting assumption made in the
code:

    if ($ENV{'HTTP_REFERER'}) {
        foreach $referer (@referers) {
            if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
                $check_referer = 1;
                last;
            }
        }
    }
    else {
        $check_referer = 1;
    }

If the referer doesn't exist the script assumes everything is okay,
presumably to allow older browsers or those that have referer turned off,
to access the script. This also means that a browser pointed directly to
the script can make use of it as there is no referer in this case.

Bit of a problem to fix... Since most browsers return the referer string it
would probably be safer to remove this assumption from the code and simply
inform the user of the problem if no referer is provided.

In any case it wouldn't be difficult to send a fake referer as it's only a
HTTP request header and the server is only believing what the client is
telling it. Write a simple Perl script that sends a manipulated GET request
with a fake referer header and you have yourself a nice spam mailer... :(

Cheers,

Joel


-------------------------------------------------------------------------
          => Joel Sing | jsing () origin net au | 0419 577 603 <=
-------------------------------------------------------------------------

                DOS and Windows, a turtle and it's shell