Formmail secure?

Eric Schreiber · **Formmail secure? -** 08-23-2003, 12:07 PM

Just a paranoia check, really. I noticed some attempts to access formmail at my domain, and wanted to be sure it was safe...

Host: 210.0.179.146 Url: /cgi-sys/formmail.pl Http Code : 200
Date: Aug 23 04:37:21 Http Version: HTTP/1.0" Size in Bytes: 250
Referer: http://www.ericschreiber.com/ Agent: -

Host: 210.242.69.243 Url: /cgi-sys/formmail.pl Http Code : 200
Date: Aug 23 04:35:33 Http Version: HTTP/1.0" Size in Bytes: 253
Referer: http://www.ericschreiber.com/ Agent: -

Host: 200.171.213.234 Url: /cgi-sys/formmail.pl Http Code : 200
Date: Aug 23 04:35:32 Http Version: HTTP/1.0" Size in Bytes: 250
Referer: http://www.ericschreiber.com/ Agent: -

Host: 202.184.1.40 Url: /cgi-sys/formmail.pl Http Code : 200
Date: Aug 23 04:35:19 Http Version: HTTP/1.0" Size in Bytes: 233
Referer: http://www.ericschreiber.com/ Agent: -

Host: 80.55.20.78 Url: /cgi-sys/formmail.pl Http Code : 200
Date: Aug 23 04:35:17 Http Version: HTTP/1.0" Size in Bytes: 227
Referer: http://www.ericschreiber.com/

stratplan · **yeah, me too... -** 08-23-2003, 01:09 PM

I was sitting here looking at the latest 'formmail' script (NMS v. 3.09cl) that is supposed to be secure, wondering if I should install it.

I really need a formmail type program, and am familiar with cgi, but not php so I prefer not to go that (php) route to shorten the time and learning curve.

I received no reply on my previous query here,
http://www.page-zone.com/forums/show...light=formmail
and was thinking about opening a help ticket:

You can see Jim says it is a no-no like that, and I am surprised that renaming it would work, but if he says so, it must be.

Thanks for regenerating this puzzle. I'm looking forward to the response. Seems like the cgi-sys route would be secure.

aaa · 08-24-2003, 02:04 AM

The cgi-sys route is NOT safe to use.

Jim · 08-24-2003, 10:20 AM

Renaming it doesn't make it secure but it will stop the script kiddies from finding it. What they do is set a script loose crawling the internet looking for /cgi-bin/formail.pl (or a variation of that) on thousands of domain names.

Odds are EVERY site will eventually get crawled and if the script is sitting there it will be exploited. If the script is still there but called something else like /cgi-bin/send.pl it severely cuts down the chances of getting found by a bot, but it still isn't the best way. A script which can't be exploited is the best way but Matt Wright's formmail scripts always get cracked, and it looks like CPanel's version is a heavy target as well.