Matt -
I share your sentiments but I would like to point out a few things about
the use of CGI.pm and Embperl and/or Modperl which which would be
different then if I was writing the uudecoding by my self.
Normally, I would parse out metachars in the processes of decoding input
from the browser. When I use embperl, (and CGI.pm by default),
everything is in a nice HASH for me. What's to stop someone from
entering metachars of {}, or other perl code into a field and have it
processed by embperl?
My own decoding routines only let in what I deem safe. CGI.pm is doing
this for me.
It the data input being scrubbed or checked?
Ruben
Matt Sergeant wrote:
>
> On Tue, 12 Oct 1999, Ruben I Safir wrote:
> > Dear Boss
> >
> > Thanks for pointing this article from PC Week out.
> >
> > I've already read and reviewed this, and discussed it with the hacker
> > after it was anounced 3 weeks ago on http://slashdot.org.
> > The hacker attacked a shrink wrapped CGI application with a documneted
> > hackers weakness that has been passed around the net.
> >
> >
> >
> > See: http://slashdot.org/articles/99/09/24/1224221.shtml
> >
> >
> >
> >
> > Note this discussion below which has been reviewed. Please review it as
> > well so tha everyone is fully versed in the details of network security.
> >
> > I'm wondering if anyone else has comments on this. How secure is CGI.pm
> > and EMBPERL?
>
> All CGI scripts, no matter what language they are written in, can be
> insecure. There's no need to discuss this here - simply read the cert's CGI
> script security document. If you haven't read it and follow it's
> precautions (which the developers of the photoads script obviously didn't)
> then you shouldn't be developing secure web sites. There's really nothing
> further to discuss.
>
> --
> <Matt/>
>
> Details: FastNet Software Ltd - XML, Perl, Databases.
> Tagline: High Performance Web Solutions
> Web Sites: http://come.to/fastnet http://sergeant.org
> Available for Consultancy, Contracts and Training.
>
> ---------------------------------------------------------------------
> Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before
> posting. To request this thread, e-mail [EMAIL PROTECTED]
>
> To unsubscribe, send a message to the address shown in the
> List-Unsubscribe header of this message. If you cannot see it,
> e-mail [EMAIL PROTECTED] instead.
