RE: Secure Form Script?

From: Bryce Porter (bporter_at_heart.net)
Date: 05/14/04

  • Next message: Stephen Samuel: "Re: Secure Form Script?" 
    Date: Fri, 14 May 2004 16:03:14 -0500
To: "Stephen Samuel" <samuel@bcgreen.com>

    Stephen,

    When calling a binary directly, you run a lot of risks, especially
    format string vulnerabilities.

    I agree about using the fixed To: address, but I think he was originally
    wanting that to be flexible. If not, fixed is most definitely the way to
    go.

    Regards,
     
    Bryce Porter
    Network Administrator
    Heart Technologies, Inc.
    bporter@heart.net
    http://www.heart.net/
    309.633.2800 Technical Support
    309.634.2282 Direct
    309.634.2382 Fax
     

    -----Original Message-----
    From: Stephen Samuel [mailto:samuel@bcgreen.com]
    Sent: Friday, May 14, 2004 3:54 PM
    To: Bryce Porter
    Cc: focus-linux@securityfocus.com
    Subject: Re: Secure Form Script?

    In this case, I'm presuming that the destination address is fixed.
    The only input data on the header is the subject line, and that's
    pretty easy
    to sanitize.

    For the most part I'd agree that using something like Net::SMTP is
    a good ida, but what do you see as the issues with calling sendmail
    from a script?

    Bryce Porter wrote:
    > Or you can write your own script in Perl (or your language of choice)
    > that accepts a single To: parameter from an html form and runs the
    input
    > through a regular expression to "cleanse" the data. Then, perform the
    > actual sending using something like Net::SMTP, et. al. Never interface
    > directly with the sendmail binary, and never use a script that does.
    Let
    > me know if you need some help. 

    -- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
      the jewel within each person and bringing it to light.
  • Next message: Stephen Samuel: "Re: Secure Form Script?"

    Relevant Pages

    • Re: Secure Form Script?
      ... The only input data on the header is the subject line, ... but what do you see as the issues with calling sendmail ... > Or you can write your own script in Perl ...
      (Focus-Linux)
    • decnet for linux problem
      ... with telnet and ftp also ... and set host to the PC from the VS. ... phone utility says "no one is calling you" when I answer -- while ... script contains ...
      (comp.os.vms)
    • Re: Access File Share from ASP.NET using Unmanaged Code
      ... >> calling CreateProcessWithTokenW instead. ... >> Joe K. ... >> share either by unc path or trying to map a drive as part of the script. ... >> access a network resource using the page I have created it simply ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Access File Share from ASP.NET using Unmanaged Code
      ... How are you calling the script files in this app? ... FTP etc. but the user cannot access a network ... share either by unc path or trying to map a drive as part of the script. ... > Alternatively is their a way to run a defined task from the scheduler. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Absolute pathnames to commands in shell scripts
      ... Define all invoked commands at the top ... initially be calling the correct versions and it's 3 years down the road ... script when you didn't change the script! ... Spell out the full pathname ...
      (comp.unix.shell)