• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: FormMail HTTP_Referer Spoofing Vulnerability

Severity: HIGH

Description:

FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user. It is written in Perl and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

The script is designed to accept variables from any form and mail them to a specified recipient email address.

The HTTP_Referer is a variable sent by the web browser to the webserver when a HTTP request is made. FormMail relies on the HTTP_REFERER header to establish the identity of the user accessing the script.

For example, when FormMail is installed it can be configured to ensure that the HTML forms that are submitted are located on the local host or on other trusted hosts in the network. This seems like an ideal configuration. It would seem that this would restrict the exploitability of vulnerabilities which required the attacker to submit modified versions of the form. However, this measure creates a false sense of security in light of the fact that it is trivial for a remote attacker to forge a HTTP_REFERER header.

Forged HTTP_REFERERS may circumvent the measures employed by FormMail to validate the authenticity of the user.

A remote attacker may take advantage of this issue to exploit other vulnerabilities, such as manipulating CGI variables to use the FormMail program as an anonymous e-mail relay for spamming/mailbombing purposes. For more information, refer to BugTraq ID 2469 "FormMail Recipient CGI Variable Spamming Vulnerability".

Affected Products:

• Matt Wright FormMail 1.0.0
• Matt Wright FormMail 1.1.0
• Matt Wright FormMail 1.2.0
• Matt Wright FormMail 1.3.0
• Matt Wright FormMail 1.4.0
• Matt Wright FormMail 1.5.0
• Matt Wright FormMail 1.6.0
• Matt Wright FormMail 1.7.0
• Matt Wright FormMail 1.8.0
• Matt Wright FormMail 1.9.0

References:

• Matt Wright: FormMail Product Home Page
• nms: nms

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.