in reply to Re: prevent perl script running from browser in thread prevent perl script running from browser
That looks scary.
I've already explained some of the problems with the first few lines of the code. Let me add some more notes for the remaining part.
I would disable that script NOW. Just remove it from the server, then fix the problems. There are at least three obvious injection problems that need to be addressed, and there is a race condition in encrypting the form data.
Alexander
--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
Re^3: prevent perl script running from browser
by snowchild (Novice) on Oct 02, 2017 at 05:38 UTC
|
hi Alexander
Thank you for a very concise run down on my garbage script.
I hope you realize that for most of the comments you wrote line by line I have no idea what you are talking about LOL.
As I said earlier, someone wrote this script 17 years ago and since then it has had some minor changes made by others from trying to make it work on various hosting servers. I think it would be best as you say, to remove the script ASAP and try to write a better solution with PHP.
In the meantime I am stuck with it. It does the job and no I have not noticed any errors in the output or mixing up of emails being sent, but as you say it's got more holes in it than swiss cheese. I cannot disable it until I have something better to replace it with. Such is life.
Thanks again
| [reply] |
|
I hope you realize that for most of the comments you wrote line by line I have no idea what you are talking about LOL.
Well, you chould change that. Understand what happens in the script, even in its current, scary state. That's not hard. In fact, the lack of error checks actually makes it easier to follow the program flow. Ask for things that you don't understand, in the code and in my review. We are here to answer.
As I said earlier, someone wrote this script 17 years ago and since then it has had some minor changes made by others from trying to make it work on various hosting servers.
That explains the commented-out statements and the indent.
I think it would be best as you say, to remove the script ASAP and try to write a better solution
Yes.
with PHP.
No.
In the meantime I am stuck with it. It does the job and no I have not noticed any errors in the output or mixing up of emails being sent,
Well, then you are lucky not to have a lot of load on the webserver.
but as you say it's got more holes in it than swiss cheese.
At least, it has a lot of potential to be a spam relay, using your company's name. It can also be used to generate malicious web pages that seem to be hosted on your company's hosted webserver. It should be quite easy to steal cookies and other data from the user's browser.
I cannot disable it until I have something better to replace it with. Such is life. Thanks again
Well, you could. Talk to your boss. Make it urgent to get a sane replacement. It's likely much cheaper than fixing the bad reputation you could get if someone finds this script.
Alexander
--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
| [reply] |
|
|