Formmail Anonymous Mailer

WARNING! WARNING! WARNING! If you use this service to send e-mail, your own IP address will be logged, both in the web server logs of the site(s) that you select to forward your message(s), and also in our own web server logs here. YOU HAVE BEEN WARNED! This web site and this service are for educational purposes only and may not be used for any form of commercial activities, nor for any form of harassment or other illegal activities. Al such activities are expressely prohibited, and the owner of this web site, and this web server take no responsibility for any possible misuse of this web site or the programs or data contained herein, or provided herein.



The Formmail Anonymous Mailer is a simple technology demonstration written entirely in a combination of HTML and Javascript. The purpose of this service is to demonstrate just how remarkably trivial it is to exploit well-known and well-publicized security problems with out-of-date and obsolete versions of Matt Wright's widely used FormMail.pl CGI script which, unfortunately, is still installed on many servers and in many locations throughout the Internet. These problematic FormMail.pl CGI scripts (and their rather gaping security holes), in particular the 1.6 version, are being used and exploited frequently by e-mail spammers on the Internet to send large quantities of unsolicited e-mail. The e-mail spam messages in question typically promote either pornographic web sites or unsavory and questionable products, for example blatantly fradulent ``penis enlargement'' devices.

Additionally however, this Formmail Anonymous Mailer is intended to demonstrate, generally, how easy it is to use the built-in functionality of Javascript to implement an automated exploitation of any number of common CGI scripting bugs known to be present in various widely-used CGI scripts. In fact, by employing simple HTML, together with Javascript, implementation of fully-automated client-side exploitation of CGI script security problems can be achieved in very few lines of code, even by novice programmers. Given the explosive growth of CGI scripting generally over the last few years, and the number of security flaws that have been detected and publically reported in many widely-distributed and commonly-used CGI scripts, the easy of scripting exploits for such security flaws, in particular with Javascript, should be of concern to all parties having an interest in the overall security of the Internet. It should be clearly understood however that Javascript is not the problem here. The problem lies with the exploitable CGI scripts, the programmers who produce them (with inedequate attention to security issues), and the many web server administrators who fail to remove or upgrade them once serious security issues in the CGI scripts become a matter of public knowledge.

The Formmail Anonymous Mailer allows users to compose arbitrary e-mail messages carrying arbitrary user-selected sender addresses, and to have those e-mail messages forwarded to arbitrary destination addresses via one or more FormMail.pl CGI scripts installed in various locations around the Internet. The submission of the e-mail messages to these various FormMail.pl scripts is fully-automated and actually takes place entirely from, and entirely within the client browser. There is actually no participation during any of these transactions by either the web server or the mail server at our location here.

As noted above, any user of the Formmail Anonymous Mailer will typically have their IP address logged (in the web server logs) of each remote site that the user elects to send a copy of his or her desired e-mail messages through. It should be noted however that many sites turn over (overwrite) their old logs on a very frequent basis, in some cases as frequently as once a day, so that anyone who feels damaged by having received an e-mail message by one of these unsecured FormMail.pl scripts (and who thus wants to trace back to the true originating IP address in order to find the real perpetrator of the message) may be entirely thwarted from doing so unless they are able to contact an administrator at the relevant (FormMail.pl hosting) site in a very timely fashion. However even in cases where this is done, many other factors may conspire to thwart the completion of the trace, for example language barriers, lack of experience on the part of the FormMail.pl host administrator (e..g a lack of understanding for even how to go about extracting relevant records from the local web server log files), or perhaps even site policies which prevent there from being any server logs created or maintained whatsoever. OF course all of this assumes that it is even possible for the message recipient to locate a current, valid, and working e-mail address for some caring, and suitably empowered administrator at the FormMail.pl hosting site. Even just that alone may often be problematic for a variety of reasons.

In summary, both old versions and even the latest version of the FormMail.pl script are a very bad thing to have installed anywhere on any of your web servers. There are many known flaws in the pre-1.9 versions of this script, including the exploit that allows unauthorized forwarding of e-mail, the exploit that allows remote command execution, and the exploit that allows information leakage of local environment variables. On top of all this, further investigation (by the developer of this\ web site) of potential unauthorized e-mail forwarding exploits within the 1.9 version of FormMail.pl has now made it evident that there remain numerous methods to trick the 1.9 version of FormMail.pl into performing forwarding of arbitrary, anonymized e-mail messages to any desired destination addresse, or set of destination addresses. Thus, if you have any version of the FormMail.pl script installed on any of your web servers, your are advised to remove it immediately. Also, please do not be lulled into a false sense of security just because you are using a ``security patched'' version of the FormMail.pl script. The ``security patched'' versions that are available publically have also been shown to suffer from multiple easily exploitable flaws.

More generally, we advise webmasters everywhere to stop and reconsider the security aspects and implications of any and all CGI scripts (and all other active components) installed on their respective web sites. As time progresses, standard services, such as SMTP, FTP, POP3, IMAP, and NNTP, and the software servers that implement them are, we hope, becoming more and more well ``shaken out'', and thus more and more free of remotely exploitable security problems. HTTP services however can be and are being extended in new and novel ways every day via the addition of new, and sometimes untested server-side active components, thus rendering the HTTP service, its associated port, and HTTP transactions generally ever more likely sources of new security problems.


Those interested in performing CGI security audits of their web sites/servers are encouraged to investigate whisker, a very sophisticated free CGI security auditing tool that scans a specified web sites for a really large number of known common CGI security vulnerabilities.