RE: Secure Form Script?

• Previous message: Philip Turner: "Re: iptables firewall script for debian-woody, 2.4.24"
• In reply to: Beth Skwarecki: "RE: Secure Form Script?"
• Next in thread: Tim Tompkins: "Re: Secure Form Script?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Beth Skwarecki <beth@cz-na.com>
Date: 19 May 2004 15:34:49 -0700

On Wed, 2004-05-19 at 09:36, Beth Skwarecki wrote:
> It's silly to be piping things to sendmail this way in perl. There are
> two reasons why:
>
> 1) To expand a bit on Bryce Porter's comments, it's much safer to use
> system()'s built-in argument handling than to attempt to sanitize
> arguments yourself before putting them all together on a command that
> the shell gets to execute:

...

> . This way, a "; rm -rf /" won't be
> executed as its own command, but just passed as an argument to the
> program (which may then ignore it, give an error, etc, as it pleases)
>
> 2) HOWEVER, it's silly to be using sendmail at all, in most cases. This
> is what the perl module Mail::Sendmail is for. You give it a hash with
> all the headers you want to send, and it sends directly (it is *not* a
> wrapper around the sendmail binary; it works on all platforms, even
> when sendmail is not installed):

Actually, it's only silly if you blindly pass arguments to it, or any
other program or shell, or anything that will get shell, for that matter.

If you open a pipe to sendmail, and you simply use something like
|/path/to/sendmail -t -io, then there's nothing unsafe about it.

It's when people shove other arguments in the command that it becomes a
problem. There's nothing wrong with piping to sendmail, as long as it
doesn't have other arguments

Once you open the file descriptor, you'll be writing to that anyway.
I.e., open(MAIL, "|/path/to/sendmail -t -io") or die $!...
print MAIL "From: and so on";

That's perfectly safe in regards to piping. It is not if you don't check
the variables being passed in other fields, however. Granted, I'm not
arguing that the Mail::Sendmail module isn't a better solution, but that
piping to sendmail isn't the problem either--unless you have no business
writing a script in the first place (and the Sendmail module isn't going to
do everything for you), so you'll probably have holes in the script anyway.

Again, I'm not at all suggesting your response wasn't accurate or sound, but
just that there's a lot more to this issue than piping to a program, using
system (with shell escaping system("/bin/program", "argument1", 'arg2");, etc.)

The majority of problems is that people have the email recipient in the form
and allow it to be changed, allow any arguments (allowing CC: and BCC: fields),
not removing new lines allowing someone to put from: me@somewhere.net\n\nBcc:
a lot of people), not checking for valid email address syntax, passing arguments
unsafely to the piped (yes, of course) (or system call) program, and so on.

I don't see anything wrong with sanitizing arguments yourself, as long as you
know what you're doing--and it's not that hard. If you don't, module or not,
you will have a script with a hole in it. That's all I wanted to add, as there's
so many ways to exploit a mail script and few people seem to take all the needed
steps to do it. Your suggestion and those of others will hoepfully help some
people, but I don't think just using another method other than piping to a program
is a significant part of the problem (though definitely helpful). I'm only speaking
from my experience and what I've seen in scripts I've reviewed.

-- 
Regards,
Tim Greer

• Previous message: Philip Turner: "Re: iptables firewall script for debian-woody, 2.4.24"
• In reply to: Beth Skwarecki: "RE: Secure Form Script?"
• Next in thread: Tim Tompkins: "Re: Secure Form Script?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]