perl cgi problem

[Dave Cross]

(snipped a new story)


Did a quick spot check of a NMS script this morning. Same script I
checked a couple of years back. Still totally FUBAR. Didn't even need to
load and run it to find two major problems, one of those problems, a
major security hole about which most beginners are aware. A quick visual
scan, problems jump out then slap you across your face, Cross. Double
cross, that.

Which program did you check? And what problem do you think you have found?
A few more details would be useful

That script cannot correctly print a simple date / time stamp.

It can on every system it's been tried on but yours. If you gave us the
details of your platform then we'll be happy to investigate your problem
further.

It uses a referral variable for a significant security feature.

Well, it uses HTTP_REFERER for an optional (and largely deprecated)
security feature. I'm pretty sure we document it as being weak.

When you try to access a readme, changes and other documents,

Forbidden

You don't have permission to access whatever it is you want to read on
this server.

Apache/1.3.26 Server at nms-cgi.sourceforge.net Port 80

You're absolutely right. There was a problem with the web site. I've fixed
that now.

Your advertisements claim scripts written by "experts" out of London
Perl Mongers.

Yeah. That's inaccurate. We have contributions from experts all over the
world - not just London

Use of a referral variable for security?

Like I said above - we don't really advertise that as a security feature.
Not only is it trivial to fake the HTTP_REFERER header, but we've noticed
recently that many personal firewalls strip this header which makes that
check useless. For that reason, formmail now ship with the
$allow_empty_ref variable set to 1 which disables all referrer checking.

So your current list of problems is:

1/ POSIX doesn't seem to create usable timestamps on your platform.

2/ You don't like a deprecated security feature.

Is there anything else?

Dave...

 

[Alan J. Flavell]

Taken from
http://www.google.com/groups?selm=Pine.LNX.4.30.0112011537350.28435-100000@lxplus023.cern.ch

It looks as if Dave and co are doing a good job, and one that needed
doing. All credit to him and his co-workers for that, and to
exposing their development efforts to public scrutiny.
[..]
No matter that what they are claiming

[viz. about the inadequacies in the original scripts]

seems to be factually accurate, this detail of how they are
presenting it is - in that respect - diplomatically unwise.

It would be wiser for them to state what is available, and allow the
public comments on how it stacks up against the opposition to emerge
from others.

I don't know how any sane person could interpret that as an accusation
of spamming.

Well, he didn't accuse us of spamming

Quite right

he expressed some distaste for the content of the site.

Not really: I thought it was entirely justified; but politically
unwise to emphasise it. The principle of "knocking copy", you know.

I shall be glad when this troll-feeding frenzy fades out, to be
honest. But I couldn't leave Dave to wield this particular clue-iron
alone.[1]

cheers

[1] Or maybe that one: http://www.codesmiths.com/shed/things/clueiron/