Bugtraq mailing list archives

RE: Security bug in CGI::Lite::escape_dangerous_chars() function

From: Hard Coder <hcoder () yahoo com>
Date: Wed, 12 Feb 2003 23:55:17 -0800 (PST)

Hello Ronald and all others

You might be correct with the issue of
escape_dangerous_chars but instead of the technic you
showed

open (SM, "|/usr/sbin/sendmail -f rfg $recipient");


I would use

open(SM, "|/usr/sbin/sendmail -oi -t") || die
"sendmail";
...
print SM "To: $recipient\n";

I think an attacker may cause less harm with this
approach even if escape_dangerous_chars is buggy.

HC

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com

Current thread:

Security bug in CGI::Lite::escape_dangerous_chars() function Ronald F. Guilmette (Feb 11)
- <Possible follow-ups>
- Re: Security bug in CGI::Lite::escape_dangerous_chars() function tee (Feb 12)
  - Re: Security bug in CGI::Lite::escape_dangerous_chars() function John Madden (Feb 13)
- RE: Security bug in CGI::Lite::escape_dangerous_chars() function Hard Coder (Feb 13)