Hi Phweda,

I would suggest not calling an external program at all. Digest::MD5 has been in the Perl core since v5.8.

use Digest::MD5 qw/md5_hex/;
print md5_hex("123456"), "\n";
__END__
e10adc3949ba59abbe56e057f20f883e
[download]

(Update: Corion was a bit quicker than me ;-) )

Unfortunately, your code appears to have multiple security holes. As unpleasant as it might be to hear, such holes are nowadays considered quite serious. If this CGI script is public-facing, or anyone untrusted is using it, I have to recommend against using this script.

1. You're calling an external command with apparently unchecked user input ("open( CLIMD, "/usr/bin/md5sum --string=\"$newhashpassword\" |");"). I wrote about that, and ways to avoid it, here (although in this case the solution is even simpler, not call an external program at all).
2. SQL injection (e.g. "$dbh->prepare("SELECT ... WHERE ... email = '$FORM{EMAIL}'");"). You can read about that here; use DBI's placeholder feature instead.
3. Your code seems to be vulnerable to a Cross-site scripting (XSS) attack, see also this. (Update: You could use CGI's escapeHTML() function.)

I am also wondering about what sub ParseForm looks like. It's possible that some verification of the input might be done there that reduces the risk of the above, but until that is clear, it's better to err on the side of caution.

In regards to your question here: F447B20A7FCBF53A5D5BE013EA0B15AF is the MD5 sum of the string "123456\n".

Hope this helps,
-- Hauke D

@Corion and haukex, thanks I'll check that out

@haukex, how enlightening (pun), and I just posted it to the world. Great...

you said:

In regards to your question here:

F447B20A7FCBF53A5D5BE013EA0B15AF is the MD5 sum of the string "123456\n".

I *just now* got it... "sum" not "code".

Newb slow here.

Thanks!

as you can see, my version of md5sum does not support --string either

/usr/bin/md5sum --help
Usage: /usr/bin/md5sum [OPTION]... [FILE]...
Print or check MD5 (128-bit) checksums.
With no FILE, or when FILE is -, read standard input.

  -b, --binary         read in binary mode
  -c, --check          read MD5 sums from the FILEs and check them
  -t, --text           read in text mode (default)

The following three options are useful only when verifying checksums:
      --quiet          don't print OK for each successfully verified f
+ile
      --status         don't output anything, status code shows succes
+s
  -w, --warn           warn about improperly formatted checksum lines

      --strict         with --check, exit non-zero for any invalid inp
+ut
      --help     display this help and exit
      --version  output version information and exit

The sums are computed as described in RFC 1321.  When checking, the in
+put
should be a former output of this program.  The default mode is to pri
+nt
a line with checksum, a character indicating type (`*' for binary, ` '
+ for
text), and name for each FILE.

Report md5sum bugs to bug-coreutils@gnu.org
GNU coreutils home page: <http://www.gnu.org/software/coreutils/>
General help using GNU software: <http://www.gnu.org/gethelp/>
For complete documentation, run: info coreutils 'md5sum invocation'


/usr/bin/md5sum --version
md5sum (GNU coreutils) 8.13
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gp
+l.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Ulrich Drepper, Scott Miller, and David Madore.
[download]

You may wish to see http://askubuntu.com/questions/53846/how-to-get-the-md5-hash-of-a-string-directly-in-the-terminal for workarounds.

Note that you can use Digest::MD5 to calculate the MD5 within Perl instead of running an external program:

use Digest::MD5 'md5_hex';
print md5_hex("123456");
__END__
e10adc3949ba59abbe56e057f20f883e
[download]

Looks like your CGI is executing an external md5sum which has a different call syntax on the new system.

On a side note: Please see How do I post a question effectively? on how to better ask questions.

Maybe --string=... should be --text=...?

@LanX, thanks. I figured I wasn't doing something correctly. In all my years I've never ever used a system like this.

@BrowserUk, nope. "--text" did not work. It yielded the following:

[Sat Feb 11 18:18:06.310530 2017] [cgi:error] [pid 32673] [client 97.9
+3.113.253:50798] AH01215: Try `/usr/bin/md5sum --help' for more infor
+mation.: /home/beee001/public_html/cgi-bin/eposturl.cgi

[Sat Feb 11 18:18:06.310432 2017] [cgi:error] [pid 32673]
[client 97.93.113.253:50798] AH01215: /usr/bin/md5sum: option '--text'
+ doesn't allow an argument: /home/beee001/public_html/cgi-bin/epostur
+l.cgi
[download]

I've made some progress!

I've replaced:

/usr/bin/md5sum --string\
[download]

With

/usr/bin/md5sum <<<\
[download]

and got:

Password Successfully Added.

Password: 123456

MD5 Check Sum: F447B20A7FCBF53A5D5BE013EA0B15AF

but this does not look like an MD5 Hash Code, and when I check an online generator... well, it's not the same.

Seeing that I don't really know what I'm doing (I'm googling), it's hit or miss. Maybe it's supposed to look like this. I'm going to enter the code on the client side of the API and see if it works. If it does, I'm done!