Welcome to the Monastery | |
PerlMonks |
Re^3: CGI and e-mailby afoken (Chancellor) |
on Dec 18, 2015 at 05:23 UTC ( [id://1150668]=note: print w/replies, xml ) | Need Help?? |
That code looks quite scary. No traces of use strict, taint mode not enabled, incomplete manual decoding of CGI parameters (instead of using one of the CGI modules), lots of error checks missing (read, flock), invoking sendmail with unverified parameters, using a single string instead of using the "secure pipe open" technique or using a perl-based mailer (the old but working MIME::Lite, the modern but more complex Email::Sender, ...) instead of sendmail The last problem makes the webserver vulnerable: Just imagine what happens when someone submits a form with the email value set to bla@bla.bla;uname -a;ls /;cat /etc/passwd. Alexander
-- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
In Section
Seekers of Perl Wisdom
|
|