RE: formail (was moron at perl/cgi)

Attachments:
Message as email (text/plain)

Author: todd hewett
Date:
To: 'Main PLUG discussion list'
Subject: RE: formail (was moron at perl/cgi)

There is a group called (I believe) the Perl Mongers that have rewritten
some of the scripts found on Matts script Archive in attempt to make them
more secure.

These scripts can be can be found here.
http://www.scriptarchive.com/nms.html

Hope this helps,

Todd

-----Original Message-----
From: plug-discuss-bounces@lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Victor
Odhner
Sent: Thursday, January 12, 2006 7:07 AM
To: Main PLUG discussion list
Subject: Re: formail (was moron at perl/cgi)

Craig White wrote:

>Downloaded a simple perl-cgi script called ForMail.pl
>
>getting fast and loose with permissions...
>
>
I trust you know this, but ...

ForMail has some legendary security holes, due to its trust
of user data. Just google for formail exploit
to see 22 pages of references.
This script is a poster child for bad CGI usage.
Being under selinux would be no protection here.

Vic

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message is part of the following thread:
	the complete thread tree sorted by date
	Ric Whitney at