XPost: comp.security.unix
On 12/10/21 10:17 AM, The Doctor wrote:
a formmail form was attacked by hacker on Monday using some SQL script.
What /precisely/ is formmail in this context?
I ask because I've seen a number of things called "formmail" over
decades, with wildly different capabilities and defenses.
Anyone seen this before?
Yes. I've seen many ... problems ... with various formmail
implementations over the years. Many of the ones that I looked at in
the '00s were -- IMHO -- rooted in formmail trying to be a generic form
handler to send email. The generic nature of it's attempt to be a
simple target to post form content to as a handler made it more than a
little vulnerable. Especially considering that clients could see just
about any if not all protection mechanisms in the page that used formail
as a form action.
I generally avoided such generic formmmail things for that reason and
tended to write specific implementations that hard coded some aspects
(like the target email address) which made it a LOT harder to exploit.
Aside: I'm not quite sure how SQL fits into this overall discussion.
Maybe the version of formmail that you're dealing with uses SQL as a
backend for something. Maybe someone exploited an SQL server and
induced it to do something it shouldn't. There's a LOT of room for interpretation.
--
Grant. . . .
unix || die
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)