[Modsecurity] Formmail

Andrew Cranson (Transnexis) cranky at transnexis.com
Wed Apr 5 15:46:42 EDT 2006 

Perhaps it's designed more to avoid users uploading formmail scripts named the
obvious formmail.pl just in case of exploits. That way renaming them to
something less obvious will still allow them to function yet it will 
reduce the
effectiveness of using scripts to crawl the web for formmail.php and
formmail.pl filenames to find possible targets to exploit.
-- 
Regards,

Andrew Cranson
Transnexis Hosting
www.transnexis.com

ICQ: 161813538
AIM: cransona
MSN: andrew at transnexis.com


----- Message from modsecurity at blubbernet.com ---------
    Date: Wed, 5 Apr 2006 20:36:20 +0100
    From: Mike Cardwell <modsecurity at blubbernet.com>
Reply-To: Mike Cardwell <modsecurity at blubbernet.com>
Subject: Re: [Modsecurity] Formmail
      To: modsecurity at gotroot.com


> * on the Wed, Apr 05, 2006 at 02:17:52PM -0400, Michael S. wrote:
>> You should be so fortunate that those rules exist! We don't allow formmail
>> on any of our 220 servers so those rules are a god send. If you're into
>> spammers and having your server shutdown for outbound spam, by all means
>> remove them. I could never understand in a million years why there are so
>> many server admins who are so blind to issue that formmail creates, doesn't
>> matter how recent the version, it's always vuln! I guess there are some
>> server admins who don't know any better. A big of education would be in
>> order.
>
> I am well aware of the issues surrounding formmail. I don't need
> "education" on the matter. If your servers allow exploited cgi/php
> scripts to send out large volumes of spam then there is something
> inherently wrong with your design. The hosting system I built allows
> formmail, yet has no spam problems.
>
> I could understand rules that blocked calls to .*/formmail.(pl|cgi|php)
> that contained newline characters in the subject/from parameters for
> example, but outright blocking of any uri that matches .*/formmail.pl
> seems like overkill to me.
>
> Mike
>
> --
> Digital photo printing: http://www.fotoserve.com/
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
>


----- End message from modsecurity at blubbernet.com -----

More information about the Modsecurity mailing list