[28870] in bugtraq
Re: Security bug in CGI::Lite::escape_dangerous_chars() function
daemon@ATHENA.MIT.EDU (tee@T72.org)
Wed Feb 12 18:10:08 2003
Date: Wed, 12 Feb 2003 12:32:29 +0200
From: tee@T72.org
To: Bugtraq <bugtraq@securityfocus.com>
Message-ID: <20030212103229.GA6026@T72.org>
Reply-To: tee@T72.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Hi Ronald,
Ronald F. Guilmette wrote:
> Below is a trivially simple example of how this security flaw can
> cause a problem, in practice:
>
> =====================================================================
> #!/usr/bin/perl -w
>
> use strict;
> use CGI::Lite;
>
> my $cgi = new CGI::Lite;
> my %form = $cgi->parse_form_data;
> my $recipient = $form{'recipient'};
>
> my $message = "From: sender\nSubject: Hello\n\nHello my friend!\n\n";
>
> $recipient = escape_dangerous_chars ($recipient);
>
> open (SM, "|/usr/sbin/sendmail -f rfg $recipient");
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Uhm... no matter how you escape dangerous stuff but you should not be
using that code in the first place...
Better would be...
$pid = open(MAIL, "|-");
defined ($pid) or die "Fork: $!";
if (!$pid) {
exec '/usr/lib/sendmail', '-t', '-oi' || exit 255;
}
print MAIL "To: $to\n";
print MAIL "From: $from\n";
print MAIL "Subject: $subject\n";
...
...
Peace,
--T
--
tee at T72 dot org - "On kolmenlaisia ihmisiä - niitä jotka
ovat matemaattisesti lahjakkaita ja
niitä jotka eivät ole."
