Bugtraq mailing list archives

Re: Several new CGI vulnerabilities

From: merlyn () STONEHENGE COM (Randal Schwartz)
Date: Mon, 9 Nov 1998 19:45:28 -0700

"xnec" == xnec  <xnec () WINTERMUTE LINUX TC> writes:


xnec> Either fork your sendmail process, strip out metacharacters (or
xnec> only allow certian characters),

You cannot restrict the permitted characters of an email address.
*Any* character is permitted on the left-side of an @, presuming
the proper quoting is used for those more odd ones.

For example, <fred&barney () stonehenge com> is a perfectly valid
email address (try it, an autoresponder responds!).

xnec>  use open (MAIL , "|$sendmail -t") or rm -rf
xnec> ./cgi-bin.

Or use Net::SMTP to pass the data directly to port 25.

--
Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095
Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying
Email: <merlyn () stonehenge com> Snail: (Call) PGP-Key: (finger merlyn () teleport com)
Web: <A HREF="http://www.stonehenge.com/merlyn/";>My Home Page!</A>
Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me

Current thread:

Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- <Possible follow-ups>
- Re: tcpd -DPARANOID doesn't work, and never did Dave Barr (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 09)
  - Re: Several new CGI vulnerabilities Randal Schwartz (Nov 09)
  - Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
  - Re: tcpd -DPARANOID doesn't work, and never did Darren Reed (Nov 10)
  - Re: tcpd -DPARANOID doesn't work, and never did Greg A. Woods (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Jim Dennis (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 10)
  - Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 11)