Bugtraq mailing list archives
Re: Several new CGI vulnerabilities
From: merlyn () STONEHENGE COM (Randal Schwartz)
Date: Mon, 9 Nov 1998 19:45:28 -0700
"xnec" == xnec <xnec () WINTERMUTE LINUX TC> writes:
xnec> Either fork your sendmail process, strip out metacharacters (or xnec> only allow certian characters), You cannot restrict the permitted characters of an email address. *Any* character is permitted on the left-side of an @, presuming the proper quoting is used for those more odd ones. For example, <fred&barney () stonehenge com> is a perfectly valid email address (try it, an autoresponder responds!). xnec> use open (MAIL , "|$sendmail -t") or rm -rf xnec> ./cgi-bin. Or use Net::SMTP to pass the data directly to port 25. -- Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095 Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying Email: <merlyn () stonehenge com> Snail: (Call) PGP-Key: (finger merlyn () teleport com) Web: <A HREF="http://www.stonehenge.com/merlyn/">My Home Page!</A> Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
Current thread:
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- <Possible follow-ups>
- Re: tcpd -DPARANOID doesn't work, and never did Dave Barr (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 09)
- Re: Several new CGI vulnerabilities Randal Schwartz (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Darren Reed (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Greg A. Woods (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Jim Dennis (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 11)