[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: form mail

From: Gordon Messmer <yinyang eburg com>
To: enigma-list redhat com
Subject: Re: form mail
Date: 21 Oct 2002 07:47:32 -0700

On Mon, 2002-10-21 at 07:30, Keith Mastin wrote:
> On Mon, 21 Oct 2002, Vicki Edwards wrote:
> 
> > can anyone help me with formmail.pl v1.92?  i keep getting the error
> > 'bad recepient'.  thanks, vicki
> 
> Formmail is a bad idea. Very bad. Bbbbad. No good.

It has a history of problems, but it's not *that* bad any more.

> Search the php websites for scripts that are more secure, and read the 
> code in them.

The problems that affected FormMail.pl are likely to affect any script,
regardless of language.

> Formmail is a cgi script that is known to provide access with posted 
> scripts to break in. Now that you are aware of this, if you use it, all 
> bets on security for your system are off.

Formmail's problems were not that it was an easy entry for hacks, but
that it was an easy gateway for spammers.  It basically turned your web
server into an open relay.  It used to allow access control by
specifying what "referrers" were valid, which is crap; a client can lie
about the referrer and use whatever values they want.  PHP will believe
the same lies.  FormMail now lets you specify what recipients are valid,
eliminating the "open relay" problem.

Follow-Ups:
- Re: form mail
  - From: Vicki Edwards

References:
- Re: form mail
  - From: Keith Mastin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]