[rt-users] Web interface for clients
Bob Apthorpe
arclight at jump.net
Wed Feb 27 19:58:44 EST 2002
Please bear with me if I seem overly ranty on this point:
DO NOT INSTALL formmail.pl ESPECIALLY ON A SYSTEM EXPOSED TO THE PUBLIC
INTERNET - IT'S A MONSTROUSLY HUGE SECURITY RISK.
See http://www.monkeys.com/anti-spam/formmail-advisory.ps for the security
advisory; if you're running formmail.pl in any capacity, please replace it
with the more secure version at ftp://ftp.monkeys.com/pub/formmail/1.9s/ or
disable it as soon as possible.
Apologies for shouting but there is at least one anti-spam DNSBL devoted to
blacklisting sites running formmail.pl. I reviewed the formmail.pl code a few
years ago and found a number of very serious flaws; sadly, it hasn't changed
since then. Basically formmail.pl turns your mailserver into an open relay
which is then trivially exploited by spammers. I've received spam via
formmail.pl scripts; this is not a theoretical problem.
Regardless of firewalling and other security measures you may have in place,
it's a very bad idea to install known unsecure scripts like formmail.pl,
especially when there are plenty of secure alternatives available. You are
better off coding your own special-purpose web-to-mail CGI script, taking
care to hard-code or programmatically generate recipient addresses.
Please don't take this as a personal attack. Formmail is a unfortunately very
popular and many people don't know its lineage - they find out the hard way.
I bear a particular grudge against formmail because it's so obviously broken,
it has been for a long time, and the author either doesn't have the talent or
time to fix the code or the common sense to stop distributing it. IMHO,
Matt's Script Archive gives a black eye to every responsible open-source
developer out there and I feel sorry for everyone who has installed formmail
in good faith, mistakenly believing that the author took reasonable security
precautions when designing the code.
-- Bob
References:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=formmail
On Wednesday 27 February 2002 16:32, you wrote:
> On Tue, Feb 26, 2002 at 05:04:08PM +0800, francisv at dagupan.com wrote:
> > Hi,
> >
> > Is it possible to integrate RT to an existing web form where clients can
> > select which issues they want to report besides using the e-mail? Here's
> > the scenario:
> >
> > Web form -> client selects issue, describes problem, enters e-mail &
> > other contact information -> client clicks submit report -> server
> > accepts request, checks for required fields -> sends e-mail to RT -> RT
> > responds to client by sending back the trouble ticket
>
> You should be able to do this with a simple web form, and something like
> the formmail.pl script from Matt's Script Archive.
> <http://worldwidemart.com/scripts/formmail.shtml>
More information about the rt-users
mailing list