I can't imagine anyone actually providing a direct portal to files via a form.

There have been two recent cases on this site where someone has linked to code they've inherited/written that has done this (and more). Luckily, in both cases they were very open to suggestions and took the code down immediately and went off to learn more about security.

anyone who does anything in CGI should study the topic very closely before they use a script anyway.

Should and do are two very different things. It's no secret that many people first come into contact with Perl by trying to write a script for their website. Saying "well you should have studied security" after the fact is of little use. The more that is written on the subject, and the more commonplace it becomes, the better.

Fair enough. I guess it was a bit of a knee jerk reaction. I'm just not fond of those who blame the tool instead of the user (and to me that seemed to be what the author was doing). The presentation seemed a little cavalier to me.

I'm mediocre at best (but improving, thanks perl monks) and tend to be very paranoid. However, it still seems horrifically lax not to look up these sorts of things (to me at least). I do mostly data munging so I'm hardly an expert.

You are right though. Consider me properly chastised. :)

I agree. There is nothing really new but I've never seen before one paper which summaries several different vulnerabilities like this one. I like this article because it is good introduction for newbie programmers as it covers several topics at same time.

--
Ilya Martynov (http://martynov.org/)