Bugtraq mailing list archives
Re: Vulnerability in websendmail
From: merlyn () STONEHENGE COM (Randal Schwartz)
Date: Tue, 8 Jul 1997 07:11:27 -0700
"Razvan" == Razvan Dragomirescu <drazvan () kappa ro> writes:
Razvan> As many other cgi-bin programs, this one does not check for special Razvan> characters in the user input. Razvan> Here's what it does: Razvan> (...) Razvan> $cmd="| $MAILBIN $VAR_receiver"; Razvan> open (PIPEOUT, $cmd); It really amazes me how many newbie Perl hackers: (1) ignore the CGI Security FAQ (especially the parts about perl), or (2) roll their own mail sending stuff, instead of using Net::SMTP or the more powerful Mail::Tools package, both found in the CPAN. On second thought, maybe it's not amazing. :-) -- Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095 Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying Email: <merlyn () stonehenge com> Snail: (Call) PGP-Key: (finger merlyn () ora com) Web: <A HREF="http://www.stonehenge.com/merlyn/">My Home Page!</A> Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
Current thread:
- Re: Solaris 2.5.1 party piece Davin Milun (Jul 03)
- Re: Solaris 2.5.1 party piece Casper Dik (Jul 03)
- Vulnerability in websendmail Razvan Dragomirescu (Jul 04)
- tar-error inter (Jul 05)
- Solution to MacDNS problem (keywords MacDNS DNS Macintosh Dan Brown (Jul 07)
- Vulnerability in websendmail (fwd) Julian Assange (Jul 07)
- Alert: Utility allows any user to become a member of local Admini Aleph One (Jul 08)
- Re: Vulnerability in websendmail Randal Schwartz (Jul 08)
- SGI Security Advisory 19970502-02-PX - xlock Vulnerability SGI Security Coordinator (Jul 08)
- Buffer Overflows exploit for SunOS 4.1.4 Willy TARREAU (Jul 08)
- GetAdmin NT exploit Christopher Klaus (Jul 08)
- Inside GetAdmin Mark Joseph Edwards (Jul 08)
- Fw: Reported Proxy-Netscape Bug Mark Joseph Edwards (Jul 08)