• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: FormMail Recipient CGI Variable Spamming Vulnerability

Severity: MODERATE

Description:

FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user.

A vulnerability exists in FormMail which permits a remote user to send anonymous email to arbitrary recipients.

The script is designed to accept variables from any form and mail them to a specified recipient email address. The script relies on an HTTP variable for this email address. It is suggested in the documentation that this be a 'hidden' variable in the form, present but not-displayed to the user
entering the form data. Unfortunately, because it is still an HTTP variable, an attacker can supply an arbitrary value for this email address and control the destination of the e-mail. The script provides no indication of the original sender (via the CGI interface) in the email.

This can be employed to send anonymous spam or forged e-mails, potentially in large volumes.

Note that, despite the lack of origin information in the e-mails themselves, the web server's access logs may retain information on the user exploiting this vulnerability.

Many versions of this script have been distributed, with varying security measures which may potentially mitigate this vulnerability.

It should be noted that FormMail 1.9 is still prone to this issue. FormMail 1.9 employs measures to attempt to validate the legitimacy of the recipient address. However, it has been reported that these measures may be circumvented via cleverly crafted input.

Affected Products:

• Matt Wright FormMail 1.0.0
• Matt Wright FormMail 1.1.0
• Matt Wright FormMail 1.2.0
• Matt Wright FormMail 1.3.0
• Matt Wright FormMail 1.4.0
• Matt Wright FormMail 1.5.0
• Matt Wright FormMail 1.6.0
• Matt Wright FormMail 1.7.0
• Matt Wright FormMail 1.8.0
• Matt Wright FormMail 1.9.0

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.