Support from Internet Connection

Security Advisory: Formmail CGI Advisory

Sent: 2002/10/29
Audience: Unix hosting customers

In recent months it has come to our attention that many of our UNIX customers are using, or have in their directory structure, the file formmail.cgi, formmail.pl, formmail, etc. (In this article these will be referred to simply as 'formmail', and is not to be confused for 'mailform', a script that we offer via the netConsole which will be explained a little later.) This script's intended function is to give webmasters the ability to generate e-mail messages from form input on their webpages. While this functionality is very useful on a website, the formmail script has a very particular security hazard that clients should be made aware of.

If formmail is present in your webshare or cgi-bin directory, it can be called via http (either by a web browser or via telnet to port 80) by any user out on the internet. One can pass certain parameters to the script during this request, and can easily turn this script into a conduit for sending out spam mail in large bulk simply by specifying any recipient address of their choosing from within the request. While being able to send out 1 message per request may be a tedious task by hand, it appears that people have devised scripts to automate this task. These scripts scan IP blocks looking for sites that have one of the variations of formmail, and once a copy of formmail is located, it sends out messages in massive bulk to unsusptecting recipients, and can do so virtually undetected since the requests are made from anonymous http requests.

How does this affect you as a client? There are several effects:

What can clients do to prevent these ill-effects? This can be done in two steps:

  1. Be sure that you do not have formmail.cgi, formmail.pl, formmail, or any other variation on formmail present in your directory structure, especially in your cgi-bin. Even if you do not use the script in any of your website's pages, its mere presence leaves it open to use and exploitation.
  2. If you require the functionality that formmail offers where you do have forms on your website that you would like to send e-mail out from a webpage, you can achieve the same functions by using the mailform script that is available for install via the netConsole. Once you have installed the mailform script from the netConsole, you will need to update your html code on your forms to use mailform instead of formmail. The documentation for our mailform script is located on the Support area of our website:
    http://support.internetconnection.net/TECHNICAL_REFERENCE/NETCONSOLE/
  3. Our mailform script is a secure script that will only send messages to an address @ your domain name. If you do require the recipient address be an address that is outside of your domainname, simply create an e-mail alias in your netConsole where the mailform messages can be sent to, and set the destination address of the e-mail alias to be the address where you wish to eventually receive the mailform messages.
  4. With your assistance in removing the presence of formmail from your sites, we can prevent many of the problems associated with spam on our network.

    If you have any questions about this issue please feel free to contact the Internet Connection Support Desk:

    Phone: 410-820-5678
    Email: support@internetconnection.net

www.internetconnection.net 2004-2005 ©