You are here: FormMail Security Issues
Wizcrafts Computer Services
FormMail Security - Security Vulnerabilities in Matt Wright's FormMail Script and Solutions
Many Web Hosting companies include server support for CGI and Perl scripts, which add tremendous functionality to their members' websites. Many Domain owners and Webmasters use Perl and CGI guestbook scripts to send email from feedback forms to themselves. And, a lot of these folks are using Matt Wright's FormMail Perl script to send email from forms on their webpages.
If you, or someone you know are using Matt Wright's FormMail script there is something very important that you need to know: it is not a secure script!
Due to lax programming, and unforeseen hacking exploits, all FormMail versions prior to version 1.93, released on July 14, 2009, have serious security flaws which can allow a hacker to take over the Sendmail functions of the script and allow them to hijack your server account for use as a bulk email relay (SPAM)! The first thing you need to do, if you use the FormMail script, is to check the version number, which is listed near the top of the script, inside the commented out box (# signs are Perl comments). Here is what version 1.93 looks like in its copyright notice:
# FormMail ... Version 1.93
# Copyright 1995-2009 Matt Wright
# [email protected]
# Created 06/09/95 ... Last Modified 07/14/2009
# Matt's Script Archive, Inc.: https://www.scriptarchive.com/
If the version number is less than 1.93 you should run, not walk to https://www.scriptarchive.com/formmail.html, and download the latest version. Read the new instructions and security advise at the website, and in the Readme included in the Zipfile, then configure the script for your website's Domain name, IP address and allowed recipients, as recommended and described in the Readme(.txt) notes. When you upload the properly configured script to your web server (probably to the cgi-bin or cgi-local directory) be sure to upload it in Ascii mode (text mode), then CHMOD (set file permissions) it to 711 (executable, rwx --x --x) (Order= Owner Group Everyone), not 777 (rwx rwx rwx). If the script won't run with 711 permissions change them to 755 (rwx r-x r-x...less secure, readable). This will allow the owner full access, but the World (Everyone group) gets execute only permission (plus Read if you allow 755).
When uploading a FormMail script to the CGI folder on your server be absolutely sure that you are uploading it in ASCII Mode. If you mistakenly transfer it in binary mode the script will refuse to execute and you will receive a server 403 Forbidden response (ex: "You don't have permission to access /cgi-bin/formmail.cgi on this server" or "Access Denied"). If in doubt re-read the previous paragraph. Read more about chmod, ascii and binary modes here.
It is strongly recommended that you hard-code your email address into the guestbook script on your webpage, using the "recipient=" hidden input line:
ex: <input type="hidden" name="recipient" value="You@YourDomain.com">
This protects your form from being hijacked for sending email to unspecified recipients, but opens up another vulnerability, called guestbook email harvesting. Unfortunately, spammers have loosed email address harvesting Bots to scour every website they can find for anything that resembles an email address and send every one they find back to the owners of the Bots. Some people resort to numeric equivilant obfuscation of their email addresses to try to foil the harvesters, but there is a better way, called "recipient aliasing," which is available in an alternate version of FormMail.pl, which is described a few paragraphs down.*
All of this can be avoided if you follow safe scripting practices and secure those Form scripts. If you doubt me and have access to your server logs I suggest that you read them on a daily basis. Eventually you may come across logs of attempts to abuse FormMail or other mailer scripts. These are easier to spot if you don't actually have a file named formMail.pl, or FormMail.cgi on your server. Those requests will return a 404 Not Found server response which can be located by viewing your error logs (403-Forbidden, 404-Not Found, and various script or server errors) from your website's control panel. If you see POSTs or GETs for files beginning with FormMail, MailForm or other words containing "form and/or "mail," ending in .pl, .cgi, or .php, and don't have files with those names, they are undoubtedly attempts to spam or hijack a form mailer script.
Another reason why you should obfuscate and secure your form mail script is because there are a lot of low-life people who will try to substitute their own form for yours and submit whatever they want to your server. If you have an insecure version of FormMail, and have not renamed it, they will be able to use it for their own purposes, none of which will bode well for you.
Please follow this advise and update and secure any FormMail scripts that you may by running on your servers and websites. Then rename the script to something that bears no resemblence to the words "form" or "mail" - to conceal them from the formmail seeker Bots, spammers, or hackers. Better yet, read about the NMS secure FormMail replacement script below.
* There is an alternate solution to Matt Wright's buggy and insecure scripts, and that is to use the drop-in replacements from NMS, especially the FormMail replacement. Matt Wright's FormMail script hadn't been updated since April 21, 2002, when the NMS FormMail replacement script improved upon it in 2004. All NMS Project scripts are written with stability and security in mind. The NMS FormMail script allows for much more user configuration than the original, and is well worth the extra effort required for the added flexibility and security you will gain.
My favorite feature of NMS FormMail (v3.14c1, or current build) is the ability to cloak your form recipient's email address(s) from email harvester Bots. This is accomplished by the use of aliases in both the html form and the NMS Perl script. For instance, instead of hard-coding <input type="hidden" name="recipient" value="[email protected]"> inside your html <form> tags, you could use <input type="hidden" name="recipient" value="1">, then define the actual recipient in the Formmail script. The alias translation is performed in the script by using these codes: %recipient_alias = ('1' => '[email protected]', '2' => '[email protected]');, and so on. The harvesting Bots will have no way of lifting your email addresses from forms that use this aliasing method instead of plain-text email addresses. A fully detailed Readme file is included in formmail.zip and you can find answers to most questions about NMS FormMail on the NMS FAQs page.
The NMS version of Formmail must be uploaded in ASCII mode and CHMODDED to 711, or 755, as per the previous instructions (to avoid access denied messages or failure to execute). Note that to perform a CHMOD your website must be hosted on an Apache web server. If you are on a Windows based server contact your web host about setting the permissions for CGI scripts.
In Summary:
With security concerns about mailer scripts being hijacked by spammers, it behooves us to tighten every loophole that can be found in Matt's FormMail script by upgrading to his newest version, or, upgrade to the NMS version instead. Closing the door on open email relays is an important step in the war against spam. Securing your mailer scripts makes good sense and will protect you from adverse action that could be brought against you if you run un-secured scripts that are hijacked by spammers and complaints begin rolling in to your Web Host.