--- randy Peterman <[EMAIL PROTECTED]> wrote:
> >I have to ask: where are you getting the $UserName value? What you are
> trying to do raises some
> >serious security issues if done incorrectly.
>
> I am getting it from a form input.
Randy,
The problem with that is untainting an email address (see "perldoc perlsec") is *very*
difficult
to do correctly. Let's say that the input box is named "UserName". If you make any
mistakes
validating that information, you can open up your script to a HUGE security hole by
allowing user
data near the shell. Consider the following URL:
http://www.somehost.com/cgi-bin/mail.cgi?[EMAIL PROTECTED]'%3brm%20-fr%20*%3b
Your shell command then becomes:
/usr/lib/sendmail -t -i -f'[EMAIL PROTECTED]';rm -fr *;
Admittedly, I'm not a Unix security expert, but I suspect that this will have
undesirable effects
:) Playing around with that for a while should allow the cracker to have all sorts of
:fun.
> I am hard coding the "to" line so that I
> do not have to worry about spammers just using my page as a portal. Also
> they are registered users with cookies and passwords to authenticate things
> so that there should be very little chance that anything should be relayed
> by accident.
Cookies and passwords are very easy to sniff, social engineer, etc. You're using SSL
to afford
minimal protection, yes?
> then the list is checked to see if the person can post or not
> (its a private list)
Good! Then you should already have their email address. Rather than accepting
$UserName from the
form input, validate the user and, if valid, grab their email from your internal data
(which
hopefully is secure) and use *that* email.
Cheers,
Curtis "Ovid" Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
