[28882] in bugtraq
Re: Security bug in CGI::Lite::escape_dangerous_chars() function
daemon@ATHENA.MIT.EDU (John Madden)
Thu Feb 13 17:28:52 2003
Content-Type: text/plain;
charset="iso-8859-1"
From: John Madden <weez@freelists.org>
Reply-To: weez@freelists.org
To: tee@T72.org, Bugtraq <bugtraq@securityfocus.com>
Date: Wed, 12 Feb 2003 19:57:19 -0500
In-Reply-To: <20030212103229.GA6026@T72.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <200302121957.19683.weez@freelists.org>
> Better would be...
>
<snip>
And better still would be no command execution at all:
use Net::SMTP;
my $email = <<EOM;
To: $to
From: $from
Subject: $subject
...
...
EOM
my $smtp = Net::SMTP->new("mailsever.host.com");
$smtp->mail($from);
$smtp->to($to);
$smtp->data();
$smtp->datasend($email);
$smtp->dataend();
$smtp->quit();
...No command execution at all, and no need to have the issue-prone
sendmail binary even installed on the system.
John
--
# John Madden weez@freelists.org
# MailandFiles.com: Your mail, your files: http://www.mailandfiles.com
# FreeLists: Free mailing lists for all: http://www.freelists.org
# Linux, Apache, Perl and C: All the best things in life are free!
