From what I have been told in the past...

Try uploading your form to another site and changing the url of the cgi script to continue to point to your old site. If the form still works then it is open to abuse by anyone else.

If flash is using the same cgi script then the problem would remain.

I know in php you can check the refferer site that the form originates from and then stop it if it's not from your site. You could probably do this in you cgi script as well but I wouldn't know where to start with that :)

Of course, this is only really a problem if your mail form sends ANY INFORMATION to ANY EMAIL. So, if a spammer finds this form, he (or she!) could potentially send out lots and lots of spam emails, that are delivered from your site.

If it just comes to you, then the worst that could happen is that some twit sets it to send you lots of contacts (if this is likely, then don't let this happen).

my concern is that someone could divert the submissions to himself somehow.

I think that is unlikely unless your site is hacked and the cgi script (or the form) is changed.

Your main concern (and your hosts) should be that, as stated above, a insecure formmail script allows spammers to send unsolicited email via your server. This could cause your IP address to be added to spam blacklists which will affect every other site on the same server and block your emails from getting to your clients.

If they can do that, then they have full access to your server and you're in trouble anyway!

OK, imagine a "contact us" form works like this:

collect - send - thanks

collect: The HTML form with all the boxes (your email, your name, your comments, etc). When the user hits "submit" it sends the iforation via http post to...

send: the cgi script. This receives the information from "collect" and processes it, makes sure that there's no errors, and sends it to you (be it via email, db, txt file, etc). If succesful, redirects user to...

thanks: A page saying "Thank you for contacting us!".

The danger is that if in the "collect" page you have hidden information that somebody can manipulate, such as your final email address. If so, then a malicious user could make a script that changes the information sent and the email address to spam people at random.

So, you need to make sure that your final email address is hidden in the "send" CGI script, and cannot be manipulated. However, the only way that somebody can redirect all the contacts to themself is by modifing your script, which requires write access to your server. Get it?

In any case, if you are collecting important or sensitive information, you shouldn't be emailing it off to yourself. Stick it in a database, and just email a notification to yourself.

However, the only way that somebody can redirect all the contacts to themself is by modifing your script, which requires write access to your server. Get it?

So if I look at formmail.conf and it is unchanged, I should be ok?

Yep.

Unless... he modified something elsewhere in the script? Nah, thats paranoia.

Send yourself a test, if you get it you're OK. And check the cgi script to see if some lines have been added to copy somebody else in.