[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] CGI email
- Subject: Re: [cobalt-users] CGI email
- From: Keith Davis <cache@xxxxxxxxxx>
- Date: Wed May 9 12:42:01 2001
- Organization: Digital Odyssey Web Development
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> http://www.securiteam.com/exploits/FormMail_discloses_environment_variables_
> information.html
Geezus! Securiteam.com lets anybody submit a socalled "exploit" and they
publish it without checking it out????
The env_report field is not a bug, its's a FEATURE!!
The env_report simply allows the owner of the script, or any other
approved recipient, to email himself the value of an environment
variable. It does NOT somehow magically allow the author of the socalled
exploit, or anyone else, to email himself that value, or anything else.
In order to get an environment variable emailed to himself the perp
would have to be able to fake the referrer and also be in the list of
approved recipients, assuming the owner specifies a list of approved
recipients (see earlier post).
But, if having such an env_report available bothers you, fix it:
change line 178 from
$Config{'env_report'} =~ s/(\s+|\n)?,(\s+|\n)?/,/g;
to
$Config{'env_report'} = "";
"WARNING!!! NEW EXPLOIT DISCOVERED!! The shebang line on Perl
scripts can be used to find out where Perl is located at on your
machine!! Run Charlie run, the hackers is commin!!"
Many of the contributors to this list could probably write an excellent
emailer in shell script, but a list that focuses on Cobalt products is
probably not the best place to find the best information about a
particular Perl script that has been widely used since day 2 of the
current era.
There are 61 form_emailers listed on http://cgi.resourceindex.com
If you opt to get a new car instead of fix the flat tire on the one you
have, beware, most of those 61 also use the referrer check that formmail
uses.
keith