Skip to content


for posterity: the FormMail advisory

Myself and Ronald F. Guilmette co-wrote an advisory on vulnerabilities in FormMail. Here it is, archived from RFG’s bugtraq posting:

Anonymous Mail Forwarding Vulnerabilities in FormMail 1.9

By manipulating inputs to the FormMail CGI script, remote users may abuse the functionality provided by FormMail to cause the local mail server on the same (web) server system to send arbi- trary e-mail messages to arbitrary e-mail destination addresses. Such e-mail messages may contain real or forged sender e-mail addresses (in the From: headers) entirely of the attacker’s choosing. In some cases, the envelope sender addresses of such messages may also be set to arbitrary values by the attacker.

I helped with a few cases where FormMail is vulnerable here, namely the injection of newlines attack.

When this came out, I was in Australia, packing in preparation for a month-long camping trip around Victoria ;) The Lake Catani campsite at Mount Buffalo was amazing. (whoa, compare that page with this e-commerce monstrosity — urgh)