formail (was moron at perl/cgi)
Craig White
craigwhite at azapple.com
Thu Jan 12 08:23:51 MST 2006
On Thu, 2006-01-12 at 07:07 -0700, Victor Odhner wrote:
> Craig White wrote:
>
> >Downloaded a simple perl-cgi script called ForMail.pl
> >
> >getting fast and loose with permissions...
> >
> >
> I trust you know this, but ...
>
>
> ForMail has some legendary security holes, due to its trust
> of user data. Just google for formail exploit
> to see 22 pages of references.
> This script is a poster child for bad CGI usage.
> Being under selinux would be no protection here.
----
that's pretty well documented in the README and in the source. There
seems to be adequate restrictions on senders/recipients now.
As for the poster child for bad CGI...I am the unwitting consumer of bad
CGI - if you can point me to better code...I would appreciate it.
Craig
More information about the PLUG-discuss
mailing list