Contact Form Processing Products - for all your needs

FormMail • Form Encryption • Hosted Forms

FormMail Security

Does anything else compare?

This page provides full disclosure of Tectite FormMail's security history.

To compare with other products:

  • Search for "security vulnerability" for the product in question.
  • Does the product's website provide a full security disclosure page?
  • Does the product provide a visible bug reporting page or forum that you can read?

This page lists the security history of Tectite FormMail.

Over the years we've claimed that Tectite FormMail is the most secure form processor available.

As you'll read, our free forms processing product has not had a perfect security track record, but we think you'll agree that it's been stronger than any other product you can obtain - either free or non-free.

The most dangerous security flaws have never been found in any version of Tectite FormMail, including:

Common Security Vulnerability

Tectite FormMail

Allowing your server to be become a spam gateway.


Allowing your server to be compromised or broken into.


Accessing secret information on your server.


Overwriting arbitrary files on your server.


Tectite FormMail Security Flaws

Tectite FormMail has a 22 year history with only 4 minor security flaws in that history.

July 2009

A minor Cross-site Scripting (XSS) vulnerability was found in FMBadHandler's error display. This vulnerability only happened when FMBadHandler displayed an internal error (such as failure to open a template).

The fix was implemented within 2 days of the problem being reported.

See December 2008 (below) for more information.

December 2008

Cross-site Scripting (XSS) vulnerabilities were uncovered in FormMail's default error display page and FMBadHandler's error display.

To be affected by this XSS vulnerability, all the following conditions would have to be met:

  • your website would need to have an "authenticated area", such as forums or a message board; and,
  • your authenticated area would need to have a very large number of users (many millions); and,
  • your authenticated area would need to allow persistent automatic authentication of a user (i.e. "remember me" feature); and,
  • the attacker would have to create code to attack your particular website (this means the attack is not a general one); and,
  • the attacker would have to convince one of your authenticated users to visit a specially-crafted website; and,
  • the attacker would have to trick the user into leaving hidden windows open.

Note that the above is only theoretical. It has not been demonstrated that such an attack is possible, nor is it clear whether any useful attack could be mounted using this vulnerability.

The vulnerability is fixed in FormMail version 8.11 and FMBadHandler version 1.19.

About Cross-Site Scripting

Cross-Site Scripting (XSS) is a common vulnerability in almost all web applications and many major websites.

XSS attacks can be used for various purposes, but we believe the only realistic attack could happen under the limited circumstances described above, if possible at all.

We fixed the problem and released the new versions within 3 days of receiving a report about this. The report was generated through a general XSS vulnerability test reported to us by a FormMail user.

No exploits of this vulnerability have been reported.

November 2008

A bug allowed the CAPTCHA feature to be bypassed for form submissions. Auto-responding was not affected, therefore no servers could be used as spam gateways via this bug.

This bug was uncovered by McAfee Scanning.

Fixed in version 8.10.

July 2006

Versions 7.06 to 7.09 had a vulnerability if you used the new $FILE_REPOSITORY feature. The flaw was detected and fixed within 3 weeks and before the documentation for this feature was available. No known systems were affected.

Fixed in version 7.10.