Help with cgi script attack
Dave Cross
davorg at gmail.com
Sun Mar 19 13:31:36 UTC 2006
On 3/18/06, Knute Johnson <knute at frazmtn.com> wrote:
> I need some help finding the correct place to go to get specific
> help. We have a script that uses sendmail to send form data to the
> site owner. Last night somebody managed to use it to send thousands
> of spam emails. I need to find the right place to ask about the
> script to determine exactly how the attack was accomplished so we can
> fix the script. Any direction would be greatly appreciated.
It's a common problem with badly written formmail programs. The rule
of thumb should be that you only send fixed text to email addresses
that come from form input and only send form input data to fixed email
addresses.
See http://nms-cgi.sf.net/ for a formmail that is more secure than most.
Dave...
More information about the fedora-list
mailing list