Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re: Blackbox implementation, but....

by cjf (Parson)
on Apr 29, 2002 at 08:10 UTC ( [id://162782]=note: print w/replies, xml ) Need Help??


in reply to Blackbox implementation, but....

a fairly simple CGI that is similar to the infamous formmail.pl from Matt's Script Archive

How is the script you modified different from the NMS Formmail script? If the company who created the script is refusing to let you make your changes public, just use the NMS script, and modify it slightly if necessary. In my experience it's better just to stay out of such messes with incompetent companies.

Also keep in mind that you may have fixed most of the problems, but adding strict, warnings, and taint checking doesn't make a piece of code secure and reliable. There have been more people working on the NMS scripts for longer, and although Re-inventing wheels is not always bad, doing it does have its downsides.

Replies are listed 'Best First'.
Re: Re: Blackbox implementation, but....
by IndyZ (Friar) on Apr 29, 2002 at 10:05 UTC
    The biggest difference is that the script is seperated from the html and uses redirects to push the user around to success/fail pages.

    As I said in my last post, after looking at the source I wouldn't have even considered using it, but this friend had already built his HTML around it and would have figured out how to make it work without me (the shebang line was wrong), so I figured I might as well do what I could. I am fully aware that using strict, the CGI module, warnings, and taint do not make a script secure. However, it probably won't hurt. In addition, I made changes to the script's broken input validation and a few regexes that weren't as solid as the original coder probably thought they were. In the end I know for a fact that I closed one security hole and I am reasonably sure that I didn't introduce any new problems.

    --
    IndyZ

[reply]
      In the end I know for a fact that I closed one security hole and I am reasonably sure that I didn't introduce any new problems.

      There are a lot more people who are reasonably sure that the NMS scripts don't introduce security problems :).

      Considering the problems with the creators of the original faulty script your friend was using, I'd recommend you either rewrite the script from scratch or adapt the NMS ones (separation of code and HTML is usually a good thing). If you choose to rewrite the script, it will probably be more work and will result in a less solid script than if you adapted one of the NMS ones.

      Your call though, check Re-inventing the wheel is a 'Good Thing' for more opinions on the issue.

[reply]

      In the end I know for a fact that I closed one security hole and I am reasonably sure that I didn't introduce any new problems.

      i get the impression that this is a script that the company makes available to the public. if you know for a fact that you closed a security hole, it would logically imply that the version the company is distributing contains a security hole. i think the responsible thing to do would be to publish the vulnerability on bugtraq or some other appropriate forum.

      if other people are using it, publishing the vulnerability may encourage them to either remove it from their servers or fix it. it would also perhaps encourage the company to integrate some of your changes and maybe consider being a little nicer to people who send them patches in the future.

      anders pearson

[reply]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://162782]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others romping around the Monastery: (3)
As of 2024-04-16 04:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found