PGPMail.pl possible remote command execution

[John Scimone <jscimone () cc gatech edu>]

PGPMail.pl (http://www.venturablvd.com/pgpmail/) is a modified version of 
Matt Wright's FormMail.pl meant to support PGP form mail.
I was recently looking at the code and noticed 2 questionable open() calls 
that appear to be exploitable:

open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open 
$mailprog!\n";

and...

$ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > 
$pgptmp");

recipient and pgpuserid are both kept in hidden fields supplied by the client
wouldn't it be possible to just throw in a ; /bin/whatever to execute 
commands with the priveledges of the webserver?

the only parsing done on the input is in these lines:

      $value =~ tr/+/ /;
      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

      # If they try to include server side includes, erase them, so they
      # arent a security risk if the html gets returned.  Another
      # security hole plugged up.

      $value =~ s/<!--(.|\n)*-->//g;
      $value =~ s/~!/ ~!/g; #maybe superfluos

I don't understand perl that wellso i'll leave this up to the reader to 
decide whether this can be exploited successfully but your thoughts are 
appreciated.

The last update to this script was done at the beginning of 2000 and it isn't 
too active on the web, however there are some sites running it and this 
should be looked at if it is exploitable.

John Scimone
CS Major @ Ga Tech