[sf-perl] Can't use an undefined value as filehandle reference
Bill Moseley
moseley at hank.org
Thu Jul 7 00:22:53 PDT 2005
On Wed, Jul 06, 2005 at 09:01:57PM -0700, Vicki Brown wrote:
> At 15:01 -0700 07/06/2005, Bill Moseley wrote:
> >Really, I'd dump that script.
>
> Really I'd rather not ;-)
>
> At 15:01 -0700 07/06/2005, Bill Moseley wrote:
> >That script starts out like:
> >
> > #!/usr/bin/perl
> > print "Content-Type: text/html\n\n";
> >
> >not a good sign.
>
> You have something against Really Simple SeeGeeEye?
Simple is ok. Poorly written and insecure is something else.
If you find a script without "use strict" then how do you know they
don't have typos or worse in the code? That script doesn't have
strict or warnings enabled. It won't run with those, in fact. Does
anyone with any perl experience not use strict? Try enabling taint
mode for fun, too.
The first thing the script does is send a content-type header. So
that means it can't die and generate a 500 error. Something goes
wrong and the user gets a blank page.
The author doesn't use the standard CGI.pm package for processing the
form. Bad sign. The author has created yet another templating
system. I guess everyone has to do this at some point. The script
sends mail with sendmail directly instead of using one of the many
mail modules on CPAN. The script fails to check for errors when
closing the pipe to sendmail. Also, the envelope sender will be the
web server user -- probably not what you want at all.
The script sends errors to the browser. Bad form IMO. Have a nice
500 ErrorDocument if you like, but leave the errors in the error log
for someone that gives a hoot.
The script uses user input in system calls without validation.
Unacceptable. You can set template to /etc/password and it will
likely get mailed (bounced) to the user that the web server runs as.
Do you really want a web form to be able to cause the script to
attempt to read any file on the machine (and pass it to sendmail) by
just submitting a web form? Hum, I wonder if one could point it at a
mbox file and have it send the entire mailbox to the lucky recipients
on the first message. Probably.
The template is relative to where the script is located (at least for
apache that chdir's to where the cgi script is). Why would templates
be in the web space? The template form variable should be a index to
a pre-defined set of templates in some far off data directory or
at least validated and constrained in some reasonable way.
Will this be publicly available? If so you will likely find that
someone runs a bot against it and end up sending thousands of email
messages. Kind of an open relay. My mail forms require that the
client first fetches the form which includes a hidden, encrypted
variable. The form must be submitted with this variable and it's only
valid one time after a few seconds and then only for a few minutes.
Keeps bots from just submitting the form over and over. It will
happen if publicly available.
People will know you are using tmail.pl, too, and look for exploits.
I'm sure you can find something better. Didn't London PM write a
bunch of replacements for Matt's Script Archive scripts? Oh, ya:
http://nms-cgi.sourceforge.net/
There's a replacement FormMail and also something called TFMail,
whatever that is. Or write your own script that does exactly what you
want.
--
Bill Moseley
moseley at hank.org
More information about the SanFrancisco-pm
mailing list