Menu
▾
▴
Re: [Nms-cgi-devel] Formmail insecurities
|
From: Dave C. <da...@da...> - 2002-02-11 19:47:20
|
On Sun, Jan 27, 2002 at 02:22:39PM +1100, Jeremy Howard (jh_...@fa...) wrote: > I don't know if you folks have seen this advisory: > http://www.monkeys.com/anti-spam/formmail-advisory.pdf > > I've contacted the author and he claims that many of the listed > vunerabilities are also present in the current NMS version of this script. I > checked whether he had informed you and he told me that he hasn't, and that > he doesn't plan to. I don't have any more details--I just figured I'd pass > on this info... This chap's site came up on the london.pm list earlier today which galvanised me into contacting the author. He seems to think that because he looked at nms Formmail a few weeks ago he's not going to bother again. He seems to have the idea that we don't don'r really know what we're doing because we haven't fixed all of Formmail's insecurities. One interesting thing tho' - he's now released his own version of Formmail that patches _all_ of the insecurities (or so he claims). It's available from <ftp://ftp.monkeys.com/pub/formmail/1.9s/>. Might be interesting if someone was to take a look. He's got a more general rant about Formmail up at <http://www.monkeys.com/anti-spam/filtering/formmail.html> Dave... -- .sig missing... |
