[rt-users] Web interface for clients

Bob Apthorpe arclight at jump.net
Wed Feb 27 19:58:44 EST 2002


Please bear with me if I seem overly ranty on this point:

DO NOT INSTALL formmail.pl ESPECIALLY ON A SYSTEM EXPOSED TO THE PUBLIC 
INTERNET - IT'S A MONSTROUSLY HUGE SECURITY RISK.

See http://www.monkeys.com/anti-spam/formmail-advisory.ps for the security 
advisory; if you're running formmail.pl in any capacity, please replace it 
with the more secure version at ftp://ftp.monkeys.com/pub/formmail/1.9s/ or 
disable it as soon as possible.

Apologies for shouting but there is at least one anti-spam DNSBL devoted to 
blacklisting sites running formmail.pl. I reviewed the formmail.pl code a few 
years ago and found a number of very serious flaws; sadly, it hasn't changed 
since then. Basically formmail.pl turns your mailserver into an open relay 
which is then trivially exploited by spammers. I've received spam via 
formmail.pl scripts; this is not a theoretical problem.

Regardless of firewalling and other security measures you may have in place, 
it's a very bad idea to install known unsecure scripts like formmail.pl, 
especially when there are plenty of secure alternatives available. You are 
better off coding your own special-purpose web-to-mail CGI script, taking 
care to hard-code or programmatically generate recipient addresses.

Please don't take this as a personal attack. Formmail is a unfortunately very 
popular and many people don't know its lineage - they find out the hard way. 
I bear a particular grudge against formmail because it's so obviously broken, 
it has been for a long time, and the author either doesn't have the talent or 
time to fix the code or the common sense to stop distributing it. IMHO, 
Matt's Script Archive gives a black eye to every responsible open-source 
developer out there and I feel sorry for everyone who has installed formmail 
in good faith, mistakenly believing that the author took reasonable security 
precautions when designing the code.

-- Bob

References:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=formmail

On Wednesday 27 February 2002 16:32, you wrote:
> On Tue, Feb 26, 2002 at 05:04:08PM +0800, francisv at dagupan.com wrote:
> > Hi,
> >
> > Is it possible to integrate RT to an existing web form where clients can
> > select which issues they want to report besides using the e-mail? Here's
> > the scenario:
> >
> > Web form -> client selects issue, describes problem, enters e-mail &
> > other contact information -> client clicks submit report -> server
> > accepts request, checks for required fields -> sends e-mail to RT -> RT
> > responds to client by sending back the trouble ticket
>
> You should be able to do this with a simple web form, and something like
> the formmail.pl script from Matt's Script Archive.
> <http://worldwidemart.com/scripts/formmail.shtml>




More information about the rt-users mailing list