Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??

Ok. I'm prepared for major downvotes for even doubting the Monks on this. But it is popular opinion here that Matt's Script Archive (MSA) is "insecure". To me "insecure" means that using this script will cause your web server to become vulnerable to attack of the type which allows access by unauthorized individuals. This is a separate and distinct failing in a script from the lesser affliction "easily broken"-- which simply means that the script can be caused to fail due to programming errors that failed to account for some input.

The code below is, I think, the most recent MSA and even I can see that it is easily broken. But is it insecure? If it is insecure, why is it that there isn't a Code RedHat worm crawling the web looking for pages with forms that submit to a script called MSA is extremely common, after all.

I will point out some obvious flaws, and artifacts to get the discussion going, but none of these are server-endangering in any capacity that I'm aware of. If they are, the Perl Monks community has an opportunity to make sure that we review and publicize the existence of a secure alternative (perhaps btrott's STAMP), and get it on CPAN. If nothing else, the replies to this post of mine will serve as further information for the curious.

The flaws that I notice:

  • Does not use CGI. This means that form input has to be hand-parsed. Is this potentially insecure, or is it just trivial to break, resulting in a 500 error or no action for the user?
  • Relies on system calls to sendmail. It does have the path hardcoded in full for this, and could conceivably point to any MTA. Is this a concern given the next point?
  • Does not use Taint mode. We all know that taint will prevent accidentally letting the user send unchecked information to the system. It is not a magic bullet, since in using it we still have to decide what to allow, and the strength of our script depends on what we allow.
  • Does not use -w or strict. These are great for development. But if it could compile under -w and strict, and produce no warnings or halts, then it is safe to take them out right? Note: does not compile under strict. Under -w it only emits one warning. added: as chipmunk points out, these have runtime effects as well, so taking them out in production will not catch certain runtime errors that are part of the benefits of the -w and strict. Once they're there I see no reason to take them out again and wouldn't recommend it, unless you have some BOFH who just won't stand for detailed and descriptive error logs.
  • Script retains artifacts of the code that made it insecure in the past-- interesting but not useful code that isn't breaking the script, but isn't actually improving its quality. See $ENV{'HTTP_REFERER'}. This used to provide an open relay since it is trivially spoofed, but the newer script also checks for valid recipients, and those cannot be spoofed, since the valid domains for recipients have to be hard-coded into
In the script's defense, it looks to have been written in a Perl 4 style (at a time when this would have been appropriate). Matt may not be interesting in changing the ability to run this on a Perl 4 machine (does it, in fact, still run on a Perl 4 machine?). While Matt may be overly concerned with backwards compatibility, is his method of staying compatible a security risk?

UPDATE: I have removed the code from Matt's Script Archive and replaced it with this link to After reading the copyright statement, I felt I was possibly engaging in distribution of the script-- an activity I did not obtain permission to engage in.

In reply to Exploit this for fun and, well, fun. (LONG) by ichimunki

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    Domain Nodelet?
    and the web crawler heard nothing...

    How do I use this?Last hourOther CB clients
    Other Users?
    Others wandering the Monastery: (2)
    As of 2024-07-16 08:13 GMT
    Find Nodes?
      Voting Booth?

      No recent polls found

      erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.