FormMail Security - Security Vulnerabilities in Matt Wright's FormMail Script and Solutions
Many Web Hosting companies include server support for CGI and Perl scripts, which add tremendous functionality to their members' websites. Many Domain owners and Webmasters use Perl and CGI guestbook scripts to send email from feedback forms to themselves. And, a lot of these folks are using Matt Wright's FormMail Perl script to send email from forms on their webpages. If you, or someone you know are using Matt Wright's FormMail script there is something very important that you need to know: it is not a secure script! Due to lax programming, and unforeseen hacking exploits, all FormMail versions prior to version 1.92, released in April, 2002, have serious security flaws which can allow a hacker to take over the Sendmail functions of the script and allow them to hijack your server account for use as a bulk email relay (SPAM)! The first thing you need to do, if you use the FormMail script, is to check the version number, which is listed near the top of the script, inside the commented out box (# signs are Perl comments). Here is what version 1.92 looks like in its copyright notice: # FormMail ... Version 1.92
# Copyright 1996-2002 Matt Wright
# mattw@scriptarchive.com
# Created 06/09/95 ... Last Modified 04/21/02
# Matt's Script Archive, Inc.: http://www.scriptarchive.com/ If the version number is less than 1.92 you should run, not walk to http://www.scriptarchive.com/formmail.html, and download the latest version. Read the new instructions and security advise at the website, and in the Readme included in the Zipfile, then configure the script for your website's Domain name, IP address and allowed recipients, as recommended and described in the Readme(.txt) notes.
if you need help please contact nzservers |
