On Mon, 9 Nov 1998, xnec wrote: > > EXPLOIT: > > Each of these are exploitable by inputing metacharacters into the > recipient's email address. Each script calls something similar > to: > > open( MAIL, "|$mailprog $email" ) This is one that just won't go away, and rather than try the (frankly quite fruitless) metachar filtering route, it might be an idea for CGI providing ISP's to insist on the use of perl's Mail::Sendmail module, which cuts out any potential pipe/metachar related bugs by communicating directly w/ the SMTP server. $LOCAL_CPAN_MIRROR/authors/id/M/MI/MIVKOVIC/Mail-Sendmail-0.74.tar.gz See http://www.perl.com/CPAN for a list of mirror sites. Regards Gus -- angusat_private http://www.intasys.com/~angus/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:32 PDT