[8486] in bugtraq
Re: Several new CGI vulnerabilities
daemon@ATHENA.MIT.EDU (Randal Schwartz)
Tue Nov 10 16:14:26 1998
Date: Mon, 9 Nov 1998 19:45:28 -0700
Reply-To: Randal Schwartz <merlyn@STONEHENGE.COM>
From: Randal Schwartz <merlyn@STONEHENGE.COM>
X-To: xnec <xnec@WINTERMUTE.LINUX.TC>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: xnec's message of "Mon, 9 Nov 1998 18:26:05 -0600"
>>>>> "xnec" == xnec <xnec@WINTERMUTE.LINUX.TC> writes:
xnec> Either fork your sendmail process, strip out metacharacters (or
xnec> only allow certian characters),
You cannot restrict the permitted characters of an email address.
*Any* character is permitted on the left-side of an @, presuming
the proper quoting is used for those more odd ones.
For example, <fred&barney@stonehenge.com> is a perfectly valid
email address (try it, an autoresponder responds!).
xnec> use open (MAIL , "|$sendmail -t") or rm -rf
xnec> ./cgi-bin.
Or use Net::SMTP to pass the data directly to port 25.
--
Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095
Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying
Email: <merlyn@stonehenge.com> Snail: (Call) PGP-Key: (finger merlyn@teleport.com)
Web: <A HREF="http://www.stonehenge.com/merlyn/">My Home Page!</A>
Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
