Jump to content
MikeJ

Vulnerability In Jack's Formmail Script

Recommended Posts

An advisory has been released regarding Jack's FormMail script v5.0.

 

Jack's FormMail script is not a TCH supported or supplied script, but I know many users use it. The above vulnerability can allow a remote user to gain access to read files normally not viewable through your website (such as your .htaccess file, or other private files). The following fix is recommended for users of Jack's FormMail script until a new version is released that fixes this problem:

Remove the following code from the FormMail.php script.

------------------------------------------------------

if (file_exists($ar_file)) {

  $fd = fopen($ar_file, "rb");

  $ar_message = fread($fd, filesize($ar_file));

  fclose($fd);

  mail_it($ar_message, ($ar_subject)?stripslashes($ar_subject):"RE: Form Submission", ($ar_from)?$ar_from:$recipient, $email);

}

------------------------------------------------------

Share this post


Link to post
Share on other sites

Just out of curiousity, this isn´t the same script as the Ultimate Form Mail Script, correct?

Share this post


Link to post
Share on other sites
Just out of curiousity, this isn´t the same script as the Ultimate Form Mail Script, correct?

 

No. Ultimate Form Mail script is a completely different script and does not have this vulnerability.

Share this post


Link to post
Share on other sites

Thanks Mike J. :)

I just wanted to make sure since the guy who does Ultimate Form Mail is named Jack too (if Im not wrong) and that script is very popular here as I understand.

Share this post


Link to post
Share on other sites

I can understand the confusion. The vulnerable script is actually called "Jack's FormMail".

Share this post


Link to post
Share on other sites

TCH-MikeJ is absolutely correct. I'm the good Jack. Different dude. Thanks for being so on top of things.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...