I have not tested this, but I was under the impression that the shell
might present the problem on the last print statement:

-->    print MAIL "$args[3]\n";

I'll have to check the O'Reilly book on CGI programming, but this is
pretty bad if I remember correctly. I know that the formail code from
Matt's Script Archive was exploited this way. The only way to be sure
is to test it. As far as I can tell the flow of the program would be
as follows

HTML Form -> PERL Code -> shell.

The backticks would preparsed by the shell. The output of the backtick
statement would then be sent in the email. I am still somewhat of a
perl newbie, so I could be wrong.

Although at this point you may be interacting with the sendmail
wrapper program. If this were the case, there is no risk.

I will try it later tonight and let everyone know.


Wesley A. Wannemacher
Instructor, Network Administrator
University of Northwestern Ohio

> -----Original Message-----
> From: Peter Green [mailto:[EMAIL PROTECTED]]
> Sent: Monday, November 13, 2000 3:16 PM
> Subject: Re: perl script acting funny
> * Wesley Wannemacher <[EMAIL PROTECTED]> [001113 15:09]:
> > I could be a little bit off-base, but it might be a bad idea to
> > approach your problem this way. For instance, what if a
> person enters
> > somewhere in the form:
> > `cat /etc/passwd | mail -s "You dumb f***, you just got hacked"
> Where exactly would that line be exec'd? There is only one
> place in the
> included code where stuff gets executed...there isn't any
> place to sneak
> your little command to the shell.
> > It is notoriously bad to /usr/lib/sendmail from a CGI script. Try
> Nah, it isn't all that bad. Especially since he isn't passing any
> possibly-tainted data to the shell (in the open() line).
> /pg
> --
> Peter Green : Gospel Communications Network, SysAdmin :
> ---
> The wise man can pick up a grain of sand and envision a
> whole universe. But
> the stupid man will just lay down on some seaweed and roll
> around until he's
> completely draped in it. Then he'll stand up and go: Hey,
> I'm Vine Man.
>  (Jack Handey)

Reply via email to