Re: Security bug in CGI::Lite::escape_dangerous_chars() function

From: John Madden (weezat_private)
Date: Wed Feb 12 2003 - 16:57:19 PST

Next message: Marc1: "Re: HPUX disable buffer overflow vulnerability"

Previous message: Eyal Udassin: "New freeware tools available from WebCohort"
In reply to: teeat_private: "Re: Security bug in CGI::Lite::escape_dangerous_chars() function"
Next in thread: Hard Coder: "RE: Security bug in CGI::Lite::escape_dangerous_chars() function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Better would be...
>

<snip>

And better still would be no command execution at all:

use Net::SMTP;

my $email = <<EOM;
To: $to
From: $from
Subject: $subject

...
...
EOM

my $smtp = Net::SMTP->new("mailsever.host.com");
$smtp->mail($from);
$smtp->to($to);
$smtp->data();
$smtp->datasend($email);
$smtp->dataend();
$smtp->quit();

...No command execution at all, and no need to have the issue-prone 
sendmail binary even installed on the system.

John




-- 
# John Madden  weezat_private
# MailandFiles.com: Your mail, your files: http://www.mailandfiles.com
# FreeLists: Free mailing lists for all: http://www.freelists.org
# Linux, Apache, Perl and C: All the best things in life are free!

Next message: Marc1: "Re: HPUX disable buffer overflow vulnerability"
Previous message: Eyal Udassin: "New freeware tools available from WebCohort"
In reply to: teeat_private: "Re: Security bug in CGI::Lite::escape_dangerous_chars() function"
Next in thread: Hard Coder: "RE: Security bug in CGI::Lite::escape_dangerous_chars() function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 13 2003 - 14:19:07 PST