Security Patches Needed for
Forms-to Email-Programs
Web Marketing Today, Issue 123, April 2, 2003
Perhaps the most popular forms-to-email program on the Web is Matt Wright's FormMail.pl (www.scriptarchive.com/formmail.html). If you're not using the latest version on your site (ver. 1.91, April 19, 2002), spammers could exploit security holes in earlier 1.5 and 1.6 versions to hijack your e-mail server to send out their garbage. Upgrade today if you haven't already by downloading this free program. Or check to make sure your web hosting service has the latest version.
See also SourceForge.net, Project: nms, especially for their most recent update of FormMail. This project is an attempt to provide replacements for all of the scripts from Matt's Script Archive, written when Matt was in high school, but hugely popular. Matt himself notes, "nms is an attempt by very active programmers in the Perl community to bring the quality of code for these types of programs up to date and eliminate some of the bad programming practices and bugs found in the existing Matt's Script Archive code," and he recommends them. http://sourceforge.net/projects/nms-cgi/
One of my favorite forms-to-email CGI programs is FormHandler.cgi, available in the
CGI/Perl Cookbook, by Matt Wright and Craig Patchett.
But the version available in the book has a serious security hole that you must fix if you are going to use this script. You can find details about the problem at the Internet Security Systems site (http://www.iss.net/security_center/static/3550.php).
One possible way to solve this problem is to add a few lines of code right before line 516 (pp. 112-113 in the book) that kick out anyone who specifies a path for the path for the "reply message template" or attachment that doesn't include the characters "/htdocs/" or "/www/" or whatever characters that designate the web-accessible files on your webserver. This prevents a hacker from trying to download password files that are kept in non-web-accessible directories on your webserver. Here's an example:
if ($CONFIG{'reply_message_template'}) {
$CONFIG{'reply_message_template'} !~ /www/ && die "Invalid path.\n";
}
if ($CONFIG{'reply_message_attach'}) {
$CONFIG{'reply_message_attach'} !~ /www/ && die "Invalid path.\n";
}
This may not work for your server, it may not be particular elegant, nor do I take any responsiblity for the security of any site that implements it. Ask a skilled programmer to create a patch for your site if you are using FormHandler.cgi
