Bugtraq mailing list archives

Re: Security bug in CGI::Lite::escape_dangerous_chars() function

From: John Madden <weez () freelists org>
Date: Wed, 12 Feb 2003 19:57:19 -0500

Better would be...


<snip>

And better still would be no command execution at all:

use Net::SMTP;

my $email = <<EOM;
To: $to
From: $from
Subject: $subject

...
...
EOM

my $smtp = Net::SMTP->new("mailsever.host.com");
$smtp->mail($from);
$smtp->to($to);
$smtp->data();
$smtp->datasend($email);
$smtp->dataend();
$smtp->quit();

...No command execution at all, and no need to have the issue-prone 
sendmail binary even installed on the system.

John




-- 
# John Madden  weez () freelists org
# MailandFiles.com: Your mail, your files: http://www.mailandfiles.com
# FreeLists: Free mailing lists for all: http://www.freelists.org
# Linux, Apache, Perl and C: All the best things in life are free!

Current thread:

Security bug in CGI::Lite::escape_dangerous_chars() function Ronald F. Guilmette (Feb 11)
- <Possible follow-ups>
- Re: Security bug in CGI::Lite::escape_dangerous_chars() function tee (Feb 12)
  - Re: Security bug in CGI::Lite::escape_dangerous_chars() function John Madden (Feb 13)
- RE: Security bug in CGI::Lite::escape_dangerous_chars() function Hard Coder (Feb 13)