Menu
▾
▴
[Nms-cgi-devel] Re: Replacement for Matt's Script Archive
|
From: Dave C. <da...@da...> - 2001-12-03 20:03:01
|
Jacqui caren wrote: > [posted and mailed] > > da...@da... (Dave Cross) wrote in <3C0...@da...>: > > >>http://nms-cgi.sourceforge.net/ >> > > > First let me say I am impressed by the overall code > quality - use of strict removal of env vars etc > and -T makes for an excellent start on security :-) > > > > Now for the bad part, the first script I looked at has > the **same** stupid bug that the MSA code has - namely > it uses sendmail as a delivery subsystem. > > The problem with this is that any ISP (worth thier salt) > that has some of the sendmail anti-spam hacks enabled. > if you are unlucky (I say lucky to have a good ISP) > then this MTA will reject email that purports to originate > from other than the uid of the process starting the sendmail > process. Sendmails delivery sub system is a trowover from > the need to support cron etc - it should not be seen as > a way to deliver email from and to anyone... > > You pass in email addresses via cgi params - would it not > be preferable to use soemthing a bit more secure? > > IMHO It is all well and good to try and be a drop-in > replacement however leaving the MSA security holes > to keep drop-inability is unacceptable. > > My worry with thsi is that a large value in $username > that holds an EOT char could **possibly** execute a sequence > of system commands given your shell wrapper under unixen > systems. > > You also do not test the print to sendmail pipe > or the close sendmail pipe for sendmail errors > > Again these were known to be errors in MSA scripts. > > > I encourage you to provide an alternative but please > dont take your stuff down to his quality - or lack > thereof. If the original design is n itself a security > problem then revise it... > > Jacqui Jaqui. Thanks for your comments. I hope you don't mind that I've reposted them to the nms developers mailiing list. Perhpas you'd consider joining the mailing list to add your points of view - <http://lists.sourceforge.net/mailman/listinfo/nms-cgi-devel> I think that someone was doing some work on tightening up the aeara that you mention. Unfortunately, the releases are at least a week out of date with the current CVS files (my bad!) You might like to take a look at the CVS version and see if it's any better. There was some discussion of how to send email from the programs when this project was first discussed on the london.pm mailing list. My feeling is that it is very important not to rely on using CPAN modules as this could well have the effect of scaring our target audience and driving them back to the comfort of MSA. Our scripts have to be jsut as easy to use as the MSA equivalents. Given that restriction, we can either use sendmail or talk raw SMTP. We decided that sendmail was the best way to go. If you have a better suggstion, we'd welcome your input on the developers mailing list. In fact, that goes for everyone. The only way that the nms programs can be as good as I want them to be, is if we get as many opinions as possible. Please help us to achieve that. Thanks, Dave... |
