Rule: -- Sid: 884 -- Summary: This event is generated when an attempt is made to exploit a known vulnerability in the CGI web application Formmail running on a server. -- Impact: Several vulnerabilities include server access, information disclosure, spam relaying and mail anonymizing. -- Detailed Information: This event is generated when an attempt is made to access the perl cgi script Formmail. Early versions (1.6 and prior) had several vulnerabilities (Spam engine, ability to run commands under server id and set environment variables) and should be upgraded immediately. Newer versions can still be used by spammers for anonymizing email and defeating email relay controls. -- Affected Systems: All systems running Formmail -- Attack Scenarios: Information can be appended to the URL to use your mail gateway avoiding SMTP relay controls. HTTP header information can be manipulated to avoid access control methods in script. Allows SMTP exploits that are normally available only to trusted (local) users such as Sendmail % hack. -- Ease of Attack: Simple. Exploits exist. -- False Positives: Legitimate use of the script can cause alerts. Verify packet payload and watch web/mailserver logfiles. -- False Negatives: If the name of the script has been changed this rule will not generate an event. -- Corrective Action: Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> Snort documentation contributed by Kevin Binsfield (IDS@Safedge.com) -- Additional References: --