I'm not actually/formally a Perl "beginner", but this problem is making
me feel like one.
About a day ago, some schmuck set about to try, hard, to exploit the
personally written Perl code I have in place and that processes the
input for the contact form on my web site (www.tristatelogic.com).
Fortunately, it appears that 99+% of these attempts failed miserably,
because I was already well and truly aware of the dangers of processing
un-checked input data before I started writing the contact form handler
code, several years ago.
What worries me is that I have two messages in my inbox that appear to
indicate that not all of these exploit attempts failed. It now
seems at least possible that two attempts may have breached my security,
possibly because of a misunderstnding on my part of "here" documents
and the way they actually work. So I need, desperately, to ask about
that now.
And I have a *very* specific question. Based on the data I am looking
at, it appears that sometimes, or under some (obscure?) circumstances,
Perl fails to read all of the way down to the "EOF" that is supposed
to signal the end of a "here" document. I am trying to understand
what conditions might cause that very unexpected behavior on Perl's
part.
Given the following code snippet, under what conditions, if any, would
the resulting generated message (assuming it is immediately piped into
Postfix via the command "|/usr/sbin/sendmail -bm -f nobody admin") *not*
include lines from "Subject:" on down through "X-Remote-Host:"
=========================================================================
...
print SM <<EOF;
To: "Tristatelogic.Com Administrator" <admin\@tristatelogic.com>
From: "$sender_name" <$sender_addr>
Subject: Your message to Tristatelogic.Com
X-Server-Protocol: $server_protocol
X-Http-User-Agent: $http_user_agent
X-Http-Referer: $http_referer
X-Remote-Addr: $remote_addr
X-Remote-Host: $remote_host
$message
EOF
...
=========================================================================
The puzzle is that I have received (in my admin inbox) two messages that
were clearly generated through and via the script that contains the above
code, *however* these two e-mail messages in particular, for some reason
*do* include the:
To: "Tristatelogic.Com Administrator" <admin\@tristatelogic.com>
header, and each one also includes a From: header, but then after that,
all the other headers that I had assumed would *always* be part of such
messages are not there... and it is quite apparent, because of the context,
that this must be because of the fact that the attacker who was looking for
exploits in my web site contact form kept on trying to put various quirky
and weird strings into the sender address data field in/on the form.
In at least two cases, it appears that he managed to find magic strings that
would cause the above snippet of code to not function as expected... and
this is *very* worrying to me.
So I want desperately to understand "here" documents better, and in
particular, anything that might cause them to not behave in an intutive
fashion, particularly when (expanded) variable values are part of the
"here" document.
Please note that I perform only *very* minimal pre-filtering on the
$sender_name and $sender_addr variable values prior to execution of
the above code. Those two are only checked for undef'ness and if
they are not defined after:
my $cgi = new CGI::Lite;
my %form = $cgi->parse_form_data;
my $sender_name = $form{"sender_name"};
my $sender_addr = $form{"sender_addr"};
my $message = $form{"message"};
then I just do this to make sure they have at least _some_ value:
$sender_name = "" unless defined $sender_name;
$sender_addr = "" unless defined $sender_addr;
Any help, guidance, or explanations of subtle aspects of "here" documents
that maybe I don't understand would be greatly appreciated.
Regards,
rfg
P.S. Don't bother trying to reproduce the exploit by putting weird stuff
into the contact form on my web site. I have revamped the contact form
handler script and have removed the "here" document it formerly contained
entirely.
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
