Re: formail (was moron at perl/cgi)

Top Page
This message is part of the following thread:
M+-\the complete thread tree sorted by date
MM\MVictor Odhner at <-
.MMirb at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Craig White
Date:  
To: Main PLUG discussion list
Subject: Re: formail (was moron at perl/cgi)
On Thu, 2006-01-12 at 07:07 -0700, Victor Odhner wrote:
> Craig White wrote:
>
> >Downloaded a simple perl-cgi script called ForMail.pl
> >
> >getting fast and loose with permissions...
> >
> >
> I trust you know this, but ...
>
>
> ForMail has some legendary security holes, due to its trust
> of user data. Just google for formail exploit
> to see 22 pages of references.
> This script is a poster child for bad CGI usage.
> Being under selinux would be no protection here.
----
that's pretty well documented in the README and in the source. There
seems to be adequate restrictions on senders/recipients now.

As for the poster child for bad CGI...I am the unwitting consumer of bad
CGI - if you can point me to better code...I would appreciate it.

Craig

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: swing / mysql / jdbc search questionRe: Linux presentation in east Mesa->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)