formail (was moron at perl/cgi)
irb
irb at viopac.com
Thu Jan 12 10:10:47 MST 2006
* Quoth Victor Odhner (vodhner at cox.net), on Thu, AD 2006.01.12, at 07:07 -0700:
>
> ForMail has some legendary security holes, due to its trust
> of user data. Just google for formail exploit
> to see 22 pages of references.
> This script is a poster child for bad CGI usage.
> Being under selinux would be no protection here.
There's a project called NMS available at http://nms-cgi.sf.net/ that
attempts to reimplement a number of Matt's scripts in sane and secure
ways, FormMail.pl included. See also
http://www.scriptarchive.com/nms.html.
/i.
More information about the PLUG-discuss
mailing list