[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Dangerous cgi-script



You wrote:
> Hi
>
> Is this this cgi script dangerous? the idea with the script to let
> the www-user do simple mathematics, but I am affraid they can do
> some thing dangerous, is there any differnts with Unix or Mac?
>
> Regards
>
> \Claes
>
> $math = $FORM{'calc'};
> $res=eval "$math";
> print <<ENDOFTEXT;
> <html>
> <title>Resultat</title>
> <FORM method=post
> action="matte2.cgi">
> <input type=text size=50 maxlength=60 name="calc" value="$math">
> <input type=submit value="Calculate">
> </FORM>
> <pre>
> The Results
>
> $math = $res
> </pre>
> </html>
> ENDOFTEXT
> 1;
>

There is a hole in your script : the eval() call is really  
dangerous because if someone guess that, he could try to give a Perl  
command as an argument and make something like eval a system()  
command !  :-/
Imagine the effect of something like :

    eval "system('rm -r *')";

I think that you could easily imagine all the possibilities...

-------------------------
APERGHIS-TRAMONI Sebastien
Word Wide Web : http://www.resus.org/~madingue
E-Mail : madingue@cis.uni-muenchen.de
        (madingue@tango.resus.univ-mrs.fr)

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch