calling a perl script that calls another perl script through a webform

Creamy Goodness

lol bit of a long title :pac:

i have this html file that has a form like this

<form action="test.pl">
    <input type="submit />
</form>

test.pl looks like this.

#!/usr/bin/perl

print "Content-type: text/html\n\n";

print "form submitted";

my $id = ncremins

my $address = `./address_lookup $id`;

print $me;

ok address_lookup.pl searches through a ldap directory looking for my $id and returns an email address based on that $id.

when i run address_lookup.pl on the command line it returns n.cremins[at]yaddayadda.com

but when i click the submit button on the html form i get output to the browser "form submitted" then i get an error printed out

"The server encountered an internal error or misconfiguration and was unable to complete your request..."

i looked at the apache error log and this is what i had to say.

[Wed May 14 16:48:32 2008][error] Insecure $env{PATH} while running setgid at /home/cm/cgi-bin/scripts/test.pl line 7. \n

which is the line my $address = `./address_lookup $id`;

running test.pl from the command line will work and print out the returned email.

Cantab.

You're in taint mode (which is a good thing if you're in cgi-bin!)

Examine your setuid and setgid bits.

Alternatively, you can still write an insecure system or exec.

daymobrew

When in taint mode I set the PATH and delete a few environment variables (the latter a suggestion from the Security chapter of the "Programming Perl"/Camel book).

# Set PATH and remove some environment variables for running in taint mode.
$ENV{ 'PATH' } = '/bin:/usr/bin:/usr/local/bin';
delete @ENV{ 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' };

You must also validate the $address variable after running the address_lookup script.