nms chalks up another conquest on the road to world domination. Patrick Carmichael Lecturer in IT Education School of Education University of Reading Reading RG6 1HY
http://www.reading.ac.uk/~ems97pc ---------- Forwarded message ---------- Date: Tue, 9 Apr 2002 11:59:43 +0100 (GMT Daylight Time) From: Chris Wakelin <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: n-a: FormMail replaced due to security flaws Hi all, I've just replaced formmail.pl script in http://www.rdg.ac.uk/cgi-bin/formmail.pl with a drop-in replacement. There should be no noticeable difference, but it would be sensible for everybody to check that any of your forms that use this script still work. The reason for this is that we were running a version of FormMail (1.6 with patches) that was being exploited to send SPAM email to thousands of addresses. See http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=solution&id=3955 for details. Even the newest version (1.9) does not fix all the problems, so I have used the suggested "nms" replacement. (We had added similar fixes to those in version 1.9 to our version 1.6, and version 1.9 was on the new Apache webserver, currently in testing.) If you find a form that no longer works, please tell me ASAP with details. Some pages seem to use their own copy of FormMail 1.6. These are probably less likely to be exploited as they are in non-standard places (i.e. not /cgi-bin/formmail.pl) but should be updated anyway (or changed to use the main one) as the spammers may try an exhaustive search or use a search-engine to find vulnerable scripts. Best Wishes, Chris --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-- Christopher Wakelin, [EMAIL PROTECTED] IT Services Centre, The University of Reading, Tel: +44 (0)118 931 6630 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Registered Main Information Providers must stay on this list but Subsidiary Information Providers may leave by emailing [EMAIL PROTECTED] with the word 'unsubscribe' in the body of the message. Email [EMAIL PROTECTED] with the word 'help' in the body of the message to get help. WWW archives are at (password needed, request from niprov-announce-owner): http://www.rdg.ac.uk/Maillists/niprov-discuss/archive/home.html +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
