Bugtraq mailing list archives
formmail patch
From: peter.thompson-yezek () UNI EDU (Peter D. Thompson Yezek)
Date: Fri, 26 May 2000 12:14:10 -0500
Hello, I've developed a patch for the recently reported problem with Matt Wright's FormMail script. The patch listed at http://www.securityfocus.com/bid/1187 implements an access control of sorts, but this was not a usable solution at our site. The following gives the sysadmin the ability to allow certain environment variables to be reported, but blocks all others. 36a37,42
# @valid_ENV allows the sysadmin to define what environment variables can # be reported via the env_report directive. This was implemented to fix # the problem reported at http://www.securityfocus.com/bid/1187 @valid_ENV = ('REMOTE_HOST','REMOTE_ADDR','REMOTE_USER','HTTP_USER_AGENT');
186a193,204
# Only allow ENV variables in @valid_ENV in @Env_Report for security # reasons. foreach $env_item (@Env_Report) { foreach $valid_item (@valid_ENV) { if ( $env_item eq $valid_item ) { push(@temp_array, $env_item); } } } @Env_Report = @temp_array;
-- Peter D. Thompson Yezek . (319)-273-7390 WWW Tools Specialist . Peter.Thompson-Yezek () uni edu University of Northern Iowa . http://www.uni.edu
Current thread:
- formmail patch Peter D. Thompson Yezek (May 26)