Is anyone on the list using "formmail" CGI script on their RH Apache implementations?
Jason Dixon
jason at dixongroup.net
Wed Jan 26 15:53:44 UTC 2005
On Jan 26, 2005, at 10:50 AM, Marty Landman wrote:
> At 09:59 AM 1/26/2005, Jason Dixon wrote:
>
>> I don't use FormMail.pl. As best I recall, it has had a history of
>> security holes.
>
> I believe the major problem is when you specify the recipient on a
> hidden form field. This makes a script available for hijacking to send
> spam from; stealing the webmaster's bandwidth and damaging their
> reputation. Or worse than that...
There are a LOT of problems with Matt's FormMail.pl. I took a cursory
glance and was shocked at the lack of localized variables and what-not.
And while I can appreciate the all-in-one behavior that made sense in
1996, most Perl folks like to take advantage of a little thing called
*modules*. ;-)
</off-topic>
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
More information about the redhat-list
mailing list