Missing Something.

Rafael Garcia-Suarez rgarciasuarez at gmail.com
Mon Oct 1 15:51:35 BST 2007


On 01/10/2007, Clooney, David <david.clooney at bankofamerica.com> wrote:
>     open(EMACRXFNP02,
> "<content_data/spdm828a/emacrxfnp02.emea.bankofamerica.com");
>
>     @crxfnp02_users = <EMACRXFNP02>;
>
>     close(EMACRXFNP02);
>
>
>
>     $chester_userid = (param('chester_userid'));
>
>     chomp $chester_userid;
>
>
>
>     if         ($crxfnp02_users =~ m/$chester_userid /i ) {

Where does this $crxfnp02_users variable come from ? You're not
showing all the code. Also, is the trailing space intentional in your
regexp ? But, most importantly, have you remarked that your CGI script
allows *arbitrary* source code execution through the chester_userid
parameter, and opens a huge security hole ? You must avoid using
external data in regexps unless you properly escaped the dangerous
characters in it (like, with quotemeta()).

>                 $client = 'servername.com';
>
>                  print $crxfnp02_users;
>
>                 }
>
>
>
> Cheers
>
>
>
> Dave
>
>
>
>
> Notice to recipient:
> The information in this internet e-mail and any attachments is confidential and may be privileged. It is intended solely for the addressee. If you are not the intended addressee please notify the sender immediately by telephone. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
>
> When addressed to external clients any opinions or advice contained in this internet e-mail are subject to the terms and conditions expressed in any applicable governing terms of business or client engagement letter issued by the pertinent Bank of America group entity.
>
> If this email originates from the U.K. please note that Bank of America, N.A., London Branch and Banc of America Securities Limited are authorised and regulated by the Financial Services Authority.
>


More information about the london.pm mailing list