Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: Vetting a CGI script

by idsfa (Vicar)
on Nov 12, 2003 at 18:02 UTC ( #306572=note: print w/ replies, xml ) Need Help??


in reply to Vetting a CGI script

For arbitrary input, consider that you are offering to set up a spam relay:

$in{myName} = "\n.\nMAIL FROM fake@dev.null\n" . "RCPT TO poor@target.domain\n" . "DATA\n$spam_message_goes_here\n\.\n" . "MAIL FROM junk@throwaway\nRCPT TO nobody@nowhere\n" . "DATA\n\nJust junk to avoid throwing an error"

... or anything else someone might want to do with access to your SMTP server. (Moral of story: Net::SMTP ... but I assume you are doing this as justification for a rewrite anyway.)


My parents just came back from a planet where the dominant life form had no
bilateral symmetry, and all I got was this stupid F-Shirt.


Comment on Re: Vetting a CGI script
Download Code
Re: Re: Vetting a CGI script
by dvergin (Monsignor) on Nov 12, 2003 at 18:09 UTC
    Perfect! That's exactly the kind of thing I was looking for.

    So I would recommend the use of the sendmail '-i' option. Given that and the fact that all the email header data is hard-coded, is there any way to case grief with user data only going into the email body?

    ------------------------------------------------------------
    "Perl is a mess and that's good because the
    problem space is also a mess.
    " - Larry Wall

      I'd really recommend not doing that either. For one, the syntax for that call looks like:

      $message = "From: blah\nTo: blah\nSubject: blah\n\nmessage\n"; open (SENDMAIL,"|sendmail -i); print SENDMAIL $message; close(SENDMAIL);

      Updated:
      (Yes, I know it could be done with multiple print's, but I hate dribbling information through a pipe ...)

      Which is a bigger rewrite than moving to Net::SMTP:

      use Net::SMTP; $smtp = Net::SMTP->new('mailhost'); $smtp->mail($ENV{USER}); # print MAIL "MAIL FROM ..." $smtp->to('postmaster'); # print MAIL "RCPT TO ..." $smtp->data(); # print MAIL "DATA\n"; $smtp->datasend("line 1\n"); # print MAIL ... $smtp->datasend("line 2\n"); # print MAIL ... $smtp->datasend("line 3\n"); # print MAIL ... $smtp->dataend(); $smtp->quit;

      Updated: (duh ... typing "first" w/o a "second")
      Second, invoking a whole 'nother app (sendmail) when you've already got perl running is just a bunch more overhead on your server. You then also have any security holes in 'sendmail -i' to remember to look for.


      My parents just came back from a planet where the dominant life form had no
      bilateral symmetry, and all I got was this stupid F-Shirt.
        Quothe idsfa: "I'd really recommend not doing that either. For one, the syntax..." I'm missing something. What is wrong with solving the "\n.\n" issue by using the '-i' option in a pipe to sendmail. And what is syntactly bad about the example you gave.

        Same question regarding use of Net::SMTP. The boss is going to ask me "Why?". I need a better answer than, "Some helpful person on the web said it was better." Why is the Net::SMTP code you recommend more secure than piping to sendmail with the '-i' option and hard-coded email header data? I know there are issues about gracefully handling situations where sendmail is missing or in a non-standard place. I'll deal with that. But what sort of potential input would Net::SMTP handle more securely in this situation?

        BTW: I use standard modules all the time and will likely recommend Net::SMTP for use here. This is not a question of wanting to avoid their use. I just want to have a knowledgable rationalle to explain myself.

        ------------------------------------------------------------
        "Perl is a mess and that's good because the
        problem space is also a mess.
        " - Larry Wall

Re: Re: Vetting a CGI script
by iburrell (Chaplain) on Nov 13, 2003 at 00:05 UTC
    That attack isn't a problem unless he was talking directly to the receiving mail server over SMTP. sendmail will encode the period and unless the receiving mail server is completely broken, the message will just have some SMTP commands in it.

    Update: I forgot about the -i flag to sendmail to prevent the rogue period from ending the message. The SMTP commands shouldn't be interpreted by sendmail but the period can be used to shorten the message sent.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://306572]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (8)
As of 2014-09-23 10:34 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (218 votes), past polls