Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --- EW-Mail.pl 2005-12-21 14:07:22.000000000 +0100
- +++ FormMail.pl 2009-07-14 21:47:46.000000000 +0200
- @@ -2,5 +2,5 @@
- ##############################################################################
- -# FormMail Version 1.92 #
- -# Copyright 1995-2002 Matt Wright mattw@scriptarchive.com #
- -# Created 06/09/95 Last Modified 04/21/02 #
- +# FormMail Version 1.93 #
- +# Copyright 1995-2009 Matt Wright mattw@scriptarchive.com #
- +# Created 1995-06-09 Last Modified 2009-07-14 #
- # Matt's Script Archive, Inc.: http://www.scriptarchive.com/ #
- @@ -8,3 +8,3 @@
- # COPYRIGHT NOTICE #
- -# Copyright 1995-2002 Matthew M. Wright All Rights Reserved. #
- +# Copyright 1995-2009 Matthew M. Wright All Rights Reserved. #
- # #
- @@ -23,3 +23,4 @@
- # ACCESS CONTROL FIX: Peter D. Thompson Yezek #
- -# http://www.securityfocus.com/archive/1/62033 #
- +# XSS + REDIRECT FIX: Francesco Ongaro, Giovanni Pellerano & Antonio Parata #
- +# v1.93 http://www.ush.it/team/ush/hack-formmail_192/adv.txt #
- ##############################################################################
- @@ -32,9 +33,9 @@
- -$mailprog = '/usr/sbin/sendmail -i -t -f xxx';
- +$mailprog = '/usr/lib/sendmail -i -t';
- # @referers allows forms to be located only on servers which are defined #
- -# in this field. This security fix from the last version which allowed #
- -# anyone on any server to use your FormMail script on their web site. #
- +# in this field. This is a security fix to prevent others from using your #
- +# FormMail script on their web site. #
- -@referers = ('scriptarchive.com','209.196.21.3');
- +@referers = ('scriptarchive.com','72.52.156.109');
- @@ -98,5 +99,2 @@
- - $check_referer = 1;
- -
- -
- # If the HTTP_REFERER was invalid, send back an error. #
- @@ -231,2 +229,14 @@
- + # Fix XSS + HTTP Header Injection for v1.93
- + foreach $lfield ('redirect', 'return_link_url') {
- + # Strip new lines
- + $Config{$lfield} =~ s/(\n|\r)//mg;
- +
- + # Only allow certain handlers to avoid javascript:/data: tricks
- + if ($Config{$lfield} !~ /^\s*\// &&
- + $Config{$lfield} !~ /^\s*(http|https|ftp):\/\//) {
- + $Config{$lfield} = '';
- + }
- + }
- +
- if (!$Config{'recipient'}) {
- @@ -238,9 +248,8 @@
- # a valid domain or e-mail address as defined in @recipients. #
- - $valid_recipient = 0;
- foreach $send_to (split(/,/,$Config{'recipient'})) {
- - # foreach $recipient (@recipients) {
- - # if ($send_to =~ /$recipient$/i) {
- + foreach $recipient (@recipients) {
- + if ($send_to =~ /$recipient$/i) {
- push(@send_to,$send_to); last;
- - # }
- - # }
- + }
- + }
- }
- @@ -380,3 +389,3 @@
- <hr size=1 width=75%><p>
- - <center><font size=-1><a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.92 © 1995 - 2002 Matt Wright<br>
- + <center><font size=-1><a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.93 © 1995 - 2009 Matt Wright<br>
- A Free Product of <a href="http://www.scriptarchive.com/">Matt's Script Archive, Inc.</a></font></center>
- @@ -396,3 +405,3 @@
- print MAIL "To: $Config{'recipient'}\n";
- - print MAIL "From: $Config{'email'} $Config{'realname'}\n";
- + print MAIL "From: $Config{'email'} ($Config{'realname'})\n";
- @@ -582,3 +591,3 @@
- <center><font size=-1>
- - <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.92 © 1995 - 2002 Matt Wright<br>
- + <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.93 © 1995 - 2009 Matt Wright<br>
- A Free Product of <a href="http://www.scriptarchive.com/">Matt's Script Archive, Inc.</a>
- @@ -598,3 +607,3 @@
- <head>
- - <title>FormMail v1.92</title>
- + <title>FormMail v1.93</title>
- </head>
- @@ -606,4 +615,4 @@
- <table border=0 width=600 bgcolor=#CFCFCF>
- - <tr><th><tt><font size=+1>Copyright 1995 - 2002 Matt Wright<br>
- - Version 1.92 - Released April 21, 2002<br>
- + <tr><th><tt><font size=+1>Copyright 1995 - 2009 Matt Wright<br>
- + Version 1.93 - Released June 25, 2009<br>
- A Free Product of <a href="http://www.scriptarchive.com/">Matt's Script Archive,
- @@ -637,3 +646,3 @@
- <center><font size=-1>
- - <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.92 © 1995 - 2002 Matt Wright<br>
- + <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.93 © 1995 - 2009 Matt Wright<br>
- A Free Product of <a href="http://www.scriptarchive.com/">Matt's Script Archive, Inc.</a>
- @@ -668,3 +677,3 @@
- <center><font size=-1>
- - <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.92 © 1995 - 2002 Matt Wright<br>
- + <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.93 © 1995 - 2009 Matt Wright<br>
- A Free Product of <a href="http://www.scriptarchive.com/">Matt's Script Archive, Inc.</a>
- @@ -699,3 +708,3 @@
- <center><font size=-1>
- - <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.92 © 1995 - 2002 Matt Wright<br>
- + <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.93 © 1995 - 2009 Matt Wright<br>
- A Free Product of <a href="http://www.scriptarchive.com/">Matt's Script Archive, Inc.</a>
- @@ -739,3 +748,3 @@
- <center><font size=-1>
- - <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.92 © 1995 - 2002 Matt Wright<br>
- + <a href="http://www.scriptarchive.com/formmail.html">FormMail</a> V1.93 © 1995 - 2009 Matt Wright<br>
- A Free Product of <a href="http://www.scriptarchive.com/">Matt's Script Archive, Inc.</a>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
