VULHUB ™

FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user. It is written in Perl and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems. A vulnerability has been discovered which may allow a remote attacker to send anonymous e-mail to arbitrary recipients. This is due to insufficient validation of the email and realname CGI variables. This is accomplished by constructing input which tricks the underlying mailer into creating additional fields for the SMTP header, such as CC:, BCC:, or an additional TO: field. Of course, the side effect is that one e-mail will be sent to a legitimate recipient as specified by the FormMail configuration. However, additional copies of the same mail may be sent to any arbitrary number of attacked-specified recipients.

FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user. It is written in Perl and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems. A vulnerability has been discovered which may allow a remote attacker to send anonymous e-mail to arbitrary recipients. This is due to insufficient validation of the email and realname CGI variables. This is accomplished by constructing input which tricks the underlying mailer into creating additional fields for the SMTP header, such as CC:, BCC:, or an additional TO: field. Of course, the side effect is that one e-mail will be sent to a legitimate recipient as specified by the FormMail configuration. However, additional copies of the same mail may be sent to any arbitrary number of attacked-specified recipients.