Today when monitor my websites from different web hosts, I saw in the Error Logs that there was someone trying to access the cgi-bin/formmail.pl . Properly someone trying to abuse the system.

Of course, in my situation, I do not have any CGIs to begin with. So they could not run any on my sites.

I am not sure if I am the only one facing this but if not, and you are using formmail.pl, what steps are there to take to prevent any abuse of the system ?

If I read it correctly, your logs showed attempted accesses of a file that doesn't exist. They were trying to hit it by name. This is the first thing you can do do prevent abuse (simply rename the script). Servers and netwroks are scanned for the script name many times and while this isn't the only way to prevent abuse, it is the first thing I'd do.

The best suggestion.. Dont allow users to use it.. but you do have to give an alternative if you do this.. there was a huge discussion on this a couple weeks ago do a search and you should find it..

Originally posted by Chicken
If I read it correctly, your logs showed attempted accesses of a file that doesn't exist. They were trying to hit it by name. This is the first thing you can do do prevent abuse (simply rename the script). Servers and netwroks are scanned for the script name many times and while this isn't the only way to prevent abuse, it is the first thing I'd do.

Yup, currently there are no CGIs on my sites. So I guess there is no real problem here.

Thanks for the tip.

We have completely banned formmail.pl on our Linux system and are considering the same action on Windows. I would suggest looking at HotScripts.com if you need an alternative to formail.pl. A custom built PHP alternative can be made in a few lines of code.

As for your problem with it showing in the logs Edwin, an error (404) has occurred so the server will log it :) If no error occurred the log wouldn't be made.

Originally posted by eddy2099
Today when monitor my websites from different web hosts, I saw in the Error Logs that there was someone trying to access the cgi-bin/formmail.pl . Properly someone trying to abuse the system.


They were probably scanning for the Matt's Script Archive script that can be exploited and used as an open mail relay.

But as long as you don't have that script, there's nothing they can do.

Yeah, I've been scanned for it lots of times.

Thats why I always include a custom php "contact" page when I do a site for some one.

I had a problem with spammers using my clients formmail.pl. Well I sent out a mass email to all clients to rename it to anything other than formmail.pl for example contact.pl. Since the name changes of all formmails we have not had one issue. Spammers search for formmail and when it's found they do what they want. Try just renaming the file and see if the spam stops. Worked perfect for me.

I uased another CGI script called Alienform for form processing, it does had a referrer field that only valid domain or IP can use the script

Even the latest version of FormMail has security holes... Hiding doesn't solve the problem, renaming it doesn't protect you. Only reasonable solution I see at this time is to ban it (hosts) or use another script (clients)...

Over at AWH we regularly scan all our servers for the script and helps clients install a PHP form-to-mail script instead, such as:

http://www.lumbroso.com/scripts/formmail.php

we *did* have a spam incident through a clients FormMail... tricky part is the clients IP isn't in the mail header, just in the access_log for the site (if their logs are enabled)

Let me know if anyone needs any help with this, I'd be glad to assist.

One thing I haven't been able to figure out is why is a script (such as the one above) not vulnerable? I looked for alternatives however I couldn't determine this. If the one above is fine, then I'd suggest it to clients and use it...

If you want to aviod abuse b'cos of using formmail...use the formmail at NMS site.

Infact matt himself recommends this script..b'cos it doesn't have the holes that matt's script has...!

Check it out here :

NMS FormMail (http://nms-cgi.sourceforge.net/)

Cheers
:)

http://php.resourceindex.com/Complete_Scripts/Form_Processing/

A PHP formmail isn't necessarily more secure just because it's PHP. Use the NMS formmail, it's alot more secure though no formmail is or can be 100% secure. Use NMS and rename it. That's the solution to which we are encouraging our clients.

If you are referring to the script at http://www.lumbroso.com/scripts/formmail.php
, it IS vulnerable. It is trivial to use it to send unauthorized spam messages.



Originally posted by Chicken
One thing I haven't been able to figure out is why is a script (such as the one above) not vulnerable? I looked for alternatives however I couldn't determine this. If the one above is fine, then I'd suggest it to clients and use it...

The lumbroso one is a big gaping hole waiting for spam to be fed through, heck, I think even the original FormMail.pl is more secure.