[15079] in bugtraq
formmail patch
daemon@ATHENA.MIT.EDU (Peter D. Thompson Yezek)
Fri May 26 16:42:08 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <392EB0E2.1301EF56@uni.edu>
Date: Fri, 26 May 2000 12:14:10 -0500
Reply-To: "Peter D. Thompson Yezek" <peter.thompson-yezek@UNI.EDU>
From: "Peter D. Thompson Yezek" <peter.thompson-yezek@UNI.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
I've developed a patch for the recently reported problem with Matt
Wright's FormMail script. The patch listed at
http://www.securityfocus.com/bid/1187 implements an access control of
sorts, but this was not a usable solution at our site.
The following gives the sysadmin the ability to allow certain
environment variables to be reported, but blocks all others.
36a37,42
> # @valid_ENV allows the sysadmin to define what environment variables can
> # be reported via the env_report directive. This was implemented to fix
> # the problem reported at http://www.securityfocus.com/bid/1187
>
> @valid_ENV = ('REMOTE_HOST','REMOTE_ADDR','REMOTE_USER','HTTP_USER_AGENT');
>
186a193,204
>
> # Only allow ENV variables in @valid_ENV in @Env_Report for security
> # reasons.
> foreach $env_item (@Env_Report) {
> foreach $valid_item (@valid_ENV) {
> if ( $env_item eq $valid_item ) {
> push(@temp_array, $env_item);
> }
> }
> }
> @Env_Report = @temp_array;
>
--
Peter D. Thompson Yezek . (319)-273-7390
WWW Tools Specialist . Peter.Thompson-Yezek@uni.edu
University of Northern Iowa . http://www.uni.edu
