MikeJ Posted January 3, 2005 Share Posted January 3, 2005 An advisory has been released regarding Jack's FormMail script v5.0. Jack's FormMail script is not a TCH supported or supplied script, but I know many users use it. The above vulnerability can allow a remote user to gain access to read files normally not viewable through your website (such as your .htaccess file, or other private files). The following fix is recommended for users of Jack's FormMail script until a new version is released that fixes this problem: Remove the following code from the FormMail.php script.------------------------------------------------------ if (file_exists($ar_file)) { $fd = fopen($ar_file, "rb"); $ar_message = fread($fd, filesize($ar_file)); fclose($fd); mail_it($ar_message, ($ar_subject)?stripslashes($ar_subject):"RE: Form Submission", ($ar_from)?$ar_from:$recipient, $email); } ------------------------------------------------------ Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted January 3, 2005 Share Posted January 3, 2005 Just out of curiousity, this isn´t the same script as the Ultimate Form Mail Script, correct? Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted January 3, 2005 Share Posted January 3, 2005 I don't believe so Thomas Quote Link to comment Share on other sites More sharing options...
MikeJ Posted January 3, 2005 Author Share Posted January 3, 2005 Just out of curiousity, this isn´t the same script as the Ultimate Form Mail Script, correct? <{POST_SNAPBACK}> No. Ultimate Form Mail script is a completely different script and does not have this vulnerability. Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted January 3, 2005 Share Posted January 3, 2005 Thanks Mike J. I just wanted to make sure since the guy who does Ultimate Form Mail is named Jack too (if Im not wrong) and that script is very popular here as I understand. Quote Link to comment Share on other sites More sharing options...
MikeJ Posted January 3, 2005 Author Share Posted January 3, 2005 I can understand the confusion. The vulnerable script is actually called "Jack's FormMail". Quote Link to comment Share on other sites More sharing options...
surefire Posted January 3, 2005 Share Posted January 3, 2005 TCH-MikeJ is absolutely correct. I'm the good Jack. Different dude. Thanks for being so on top of things. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.