[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Security on NT: a form to file script



David M. Dantowitz" <david@dantowitz.com> wrote:
>Here's a simple script that was a hack/port from a standard form to mail
>script... we usually don't do a lot of Perl scripts on NT systems, but
>this one is destined for such a box rather than a MacOS machine.
>

>#!/usr/local/bin/perl

use at least -w (warning) in this line to catch silly programming errors
that might also open security wholes.
if you want security, you need also put on Taint Check.

># Temporary quick port of a form to email script. Instead, this
># now simply appends answers to the messages file in the
># cgi-bin folder.

Bad Idea. Now I can download all your mail by putting in the URL
dantowitz.com/cgi-bin/messages
in my favorite browser.

>foreach $pair (@nvpairs)
>{
>    ($name, $value) = split(/=/, $pair);
>
>    $value =~ tr/+/ /;
>    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
>
>    $FORM{$name} = $value;
>}
You are doing this conversion two times.

> open (MAIL, ">>messages") || die "can't append to file messages.\n";
hard code the path to the message file. it must be somewhere
outside the document hierachy of the webserver. Sometimes
the current directory is not what you expect it to be.
( If I open a script with MacPerl, the current dir is the
dir of the script. If I open it with Alpha and run MacPerl
from Alpfa via Apple Event, the current dir is the MacPerl dir.)

># Go to the result page based on the value from the form
>#
>print "Location:$FORM{'redirect'}\n\n";

This might be a problem, because $FORM{'redirect'}
may changed by a user to wired values full of escape sequences.
But I don't see how someone can use this to open a security whole.

regards

Karsten Meier

---------------------------------------------------------------------
Karsten Meier

WWW: http://meier-online.com with following highlights:
 * German MacPerl Primer * XTensions for use with QuarkXPress
EMail krstnmr@ibm.net
Unsolicited and/or commercial email is not permitted at this address.



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch