dvergin has asked for the wisdom of the Perl Monks concerning the following question:
I am poor at sniffing out vulnerabilities in code written in ways I would not have chosen in the first place so I have two questions of those more practiced in this: 1)Is the following material vulnerable from a security perspective? 2)What is some sample input that would demonstrate that vulnerability? (The boss-man will want to know.)
The whole script these fragments come from has a variety of issues (e.g.: the possibility of simultaneous writes to the data file <Update> and the simplistic invocation of the sendmail pipe </Update>) but my specific question here is regarding any security issues.
The original script lacks '-T' taint checking (this will be rectified <Update> which will, of course, require some sort of untainting of greater or lesser degree </Update>). So I guess my question boils down to whether there is a problem with printing potentially tainted form data to a file and to the sendmail pipe -- and how can I quickly demonstrate any vulnerabilities <Update> and code appropriate untainting </Update>.
<Update> The script does no sanity checks on the data in the '%in' hash </Update> and I am assuming that cgi-lib.pl does nothing to untaint the values it passes from the html form.
#!/usr/bin/perl require "cgi-lib.pl"; &ReadParse; $mailprog = '/usr/sbin/sendmail'; # ...omitted cruft open(FILE, ">>somefile.txt") || die "Can't find thedatabase\n"; print FILE "$in{'itemName'}|$in{'itemDate'}|etc..etc..\n"; close(FILE); # ...more code passes open (MAIL, "|$mailprog -t") || die "Can't open mail program\n"; print MAIL "misc hard-coded email header stuff here\n"; # ...etc, etc. print MAIL "Name: $in{'myName'}\n"; print MAIL "Contact Information: $in{'contact'}\n"; # ...more of same close(MAIL); # ...
------------------------------------------------------------
"Perl is a mess
and that's good because the
problem space is also a mess." - Larry Wall