http://www.perlmonks.org?node_id=205148


in reply to Re: Re: Re: Eliminating useless server information
in thread Eliminating useless server information

Many thanks to those in the chatterbox that pointed out some of these comments, particularly perrin and merlyn. This comment should be considered a combined comment.

There are many dangers inherent in rolling your own mail script. (Matt Wright managed to expose almost all of them, so you can search perlmonks and/or the web and newsgroups if you want excrutiating detail.)

merlyn correctly pointed out that your script is ripe for spam abuse. And don't think they won't use it.

First, there is a project called NMS that creates solid "simple" scripts like this that are audited by the community for security holes. I'd recommend looking there first in the future. In particular, look at their formmail script. The code is well documented, and it can prevent the spam relay concerns, as well as others.

Second, while you module makes use of the CGI module, you don't use any of the Mail::* modules. I recommend using a module for this sort of thing: It increases portability, and centralizes the functionality so it easy to upgrade security holes if/when they are discovered.

Third, you don't make use of taint checking. While all CGI scripts should arguably use taint checking, scripts that pass said data to other programs need it all the more.