RE: Matt Wright's formMail
Verio, the world's largest ISP. -Original Message- From: Dave Cross [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 12:37 PM To: [EMAIL PROTECTED] Subject: Re: Matt Wright's formMail On Mon, 13 May 2002 16:07:54 +0100, Camilo Gonzalez wrote: I've just been informned by my ISP that Matt Wright's formMail will no longer be allowed on any of their servers due to glaring security concerns. I know now I shouldn't have used it but back then I was stupid and not a subscriber to this fine list. Let this serve as a warning to those still using his crap. Does anyone have the URL of that site that offers alternatives to Matt's scripts? Can you please tell me which ISP this is. I'm tring to keep a list of ISPs that have come to their senses and banned Matt's scripts. Dave... -- Don't you boys know any _nice_ songs? -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
Yay us! (I work for Verio) Cheers, Kevin On Wed, May 15, 2002 at 08:40:45AM -0500, Camilo Gonzalez ([EMAIL PROTECTED]) said something similar to: Verio, the world's largest ISP. Can you please tell me which ISP this is. I'm tring to keep a list of ISPs that have come to their senses and banned Matt's scripts. Dave... -- [Writing CGI Applications with Perl - http://perlcgi-book.com] I find this a nice feature but it is not according to the documentation. Or is it a BUG?Let's call it an accidental feature. :-) -- Larry Wall in [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Matt Wright's formMail
On Wed, 15 May 2002 16:34:48 +0100, Camilo Gonzalez wrote: I emailed Mr. Wright concerning the security oversights and the fact Verio won't let me us his script anymore and have yet to hear from him. How assholic can one get? Is he still alive? Does anyone know what he's doing now? To be fair to Matt, he does get a _lot_ of email on that subject. I don't know what he does these days, but he occasionally updates the scripts. As I mentioned before the latest version (1.92) does fix just about all of the security problems in FormMail. It's still very nasty code tho :) Dave... -- ...she opened strange doors that we'd never close again -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Matt Wright's formMail
Somebody just said assholic. I like that word. Should it be used when evaluating code? It could escalate something like this. :) loose unclear/uncommented buggy/unstable contains security flaws completely unsafe stupid assholic --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
On Mon, 13 May 2002 17:14:03 +0100, Drieux wrote: On Monday, May 13, 2002, at 08:52 , Kevin Meltzer wrote: try the rewrite from NMS: http://nms-cgi.sourceforge.net/ Cheers, Kevin which version of the code is the 'problem' version? what is the current specific 'security' issue? there was a security update to v1.92 on 04/21/02 has there been some new issue arise??? since then? Matt's version 1.92 fixes all of the spam relay problems with FormMail. There are, I believe, a couple of Cross-Site Scripting vunerabilities remaining. However secure this version is, it's still written for Perl for and doesn't use strict, -w, taint mode or CGI.pm. It's a really bad example of Perl code and I wouldn't want anyone to see the source and think they can learn Perl from it. Dave... -- ...she opened strange doors that we'd never close again -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
volks, thanks for the scoop on what is what... I'd prefer a gooder reason to a jihaud - and I think a sufficiency of explanation has been presented. I R new to CGI in perl - sort of had it thrust upon me since 'well you know perl' On Tuesday, May 14, 2002, at 10:45 , Dave Cross wrote: On Mon, 13 May 2002 17:14:03 +0100, Drieux wrote: [..] there was a security update to v1.92 on 04/21/02 has there been some new issue arise??? since then? Matt's version 1.92 fixes all of the spam relay problems with FormMail. There are, I believe, a couple of Cross-Site Scripting vunerabilities remaining. thanks for the heads up on that. My working premise then is that any such issues are closed in the nms? I have only just started to deconstruct it. There seems to be way more firepower in this than I think we will want to use but... I have found a few things I would wonder about - but these tend to be the sorts of trade offs on when is it really better to code in line - or have a simple function test However secure this version is, it's still written for Perl for and doesn't use strict, -w, taint mode or CGI.pm. It's a really bad example of Perl code and I wouldn't want anyone to see the source and think they can learn Perl from it. [..] So far about the only complaint I have with the nms FormMail is that the tarball did not come with a version number in it, hence I have no tracking control on the tarball or the folder that it generates. Unfortunately, I R 'the perl guy' - and the version 1.65? that had been running ran for a few years without problems - and it was only recently that the relay attack was executed - and I was asked to take a look to figure out what could be done to fix it, hence hauled in the 1.92 version - verified it was ok, and we were back in bizniz... But that is also why I R Here and asking the 'ok, so I'm Blithely Naive...' classes of questions. ciao drieux --- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Matt Wright's formMail
I've just been informned by my ISP that Matt Wright's formMail will no longer be allowed on any of their servers due to glaring security concerns. I know now I shouldn't have used it but back then I was stupid and not a subscriber to this fine list. Let this serve as a warning to those still using his crap. Does anyone have the URL of that site that offers alternatives to Matt's scripts? #!/usr/local/bin/perl print ' EOF' Camilo Gonzalez Web Developer Taylor Johnson Associates [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] www.taylorjohnson.com http://www.taylorjohnson.com/ EOF
Re: Matt Wright's formMail
Hi, Not Matt's Scripts http://nms-cgi.sourceforge.net/scripts.shtml -lisa -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
Camilo Gonzalez wrote: I've just been informned by my ISP that Matt Wright's formMail will no longer be allowed on any of their servers due to glaring security concerns. I know now I shouldn't have used it but back then I was stupid and not a subscriber to this fine list. Let this serve as a warning to those still using his crap. Does anyone have the URL of that site that offers alternatives to Matt's scripts? http://nms-cgi.sourceforge.net/ they have drop-in replacements for most of matt's old code. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
try the rewrite from NMS: http://nms-cgi.sourceforge.net/ Cheers, Kevin On Mon, May 13, 2002 at 10:07:54AM -0500, Camilo Gonzalez ([EMAIL PROTECTED]) said something similar to: I've just been informned by my ISP that Matt Wright's formMail will no longer be allowed on any of their servers due to glaring security concerns. I know now I shouldn't have used it but back then I was stupid and not a subscriber to this fine list. Let this serve as a warning to those still using his crap. Does anyone have the URL of that site that offers alternatives to Matt's scripts? #!/usr/local/bin/perl print ' EOF' Camilo Gonzalez Web Developer Taylor Johnson Associates [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] www.taylorjohnson.com http://www.taylorjohnson.com/ EOF -- [Writing CGI Applications with Perl - http://perlcgi-book.com] Disciple - Master, why isn't everything perfect? Zen Master - It is. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Matt Wright's formMail
Thank you all for this link. -Original Message- From: Kevin Meltzer [mailto:[EMAIL PROTECTED]] Sent: Monday, May 13, 2002 10:53 AM To: Camilo Gonzalez Cc: [EMAIL PROTECTED] Subject: Re: Matt Wright's formMail try the rewrite from NMS: http://nms-cgi.sourceforge.net/ Cheers, Kevin On Mon, May 13, 2002 at 10:07:54AM -0500, Camilo Gonzalez ([EMAIL PROTECTED]) said something similar to: I've just been informned by my ISP that Matt Wright's formMail will no longer be allowed on any of their servers due to glaring security concerns. I know now I shouldn't have used it but back then I was stupid and not a subscriber to this fine list. Let this serve as a warning to those still using his crap. Does anyone have the URL of that site that offers alternatives to Matt's scripts? #!/usr/local/bin/perl print ' EOF' Camilo Gonzalez Web Developer Taylor Johnson Associates [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] www.taylorjohnson.com http://www.taylorjohnson.com/ EOF -- [Writing CGI Applications with Perl - http://perlcgi-book.com] Disciple - Master, why isn't everything perfect? Zen Master - It is. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
On Monday, May 13, 2002, at 08:52 , Kevin Meltzer wrote: try the rewrite from NMS: http://nms-cgi.sourceforge.net/ Cheers, Kevin which version of the code is the 'problem' version? what is the current specific 'security' issue? there was a security update to v1.92 on 04/21/02 has there been some new issue arise??? since then? ciao drieux --- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Matt Wright's formMail
The problems seem to be that it uses the Referer environmental variable to exclude spammers and it gives the option of encoding data in the URL. I've been told both are considered security risks. My ISP does not think even the latest release addresses these issues and refuses to let Formmail on its servers. -Original Message- From: drieux [mailto:[EMAIL PROTECTED]] Sent: Monday, May 13, 2002 11:14 AM To: cgi Subject: Re: Matt Wright's formMail On Monday, May 13, 2002, at 08:52 , Kevin Meltzer wrote: try the rewrite from NMS: http://nms-cgi.sourceforge.net/ Cheers, Kevin which version of the code is the 'problem' version? what is the current specific 'security' issue? there was a security update to v1.92 on 04/21/02 has there been some new issue arise??? since then? ciao drieux --- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
On Mon, May 13, 2002 at 09:14:03AM -0700, drieux ([EMAIL PROTECTED]) said something similar to: which version of the code is the 'problem' version? what is the current specific 'security' issue? there was a security update to v1.92 on 04/21/02 has there been some new issue arise??? since then? Does it matter? They are scripts by Matt.. recurring security issues, and (unless he has done some MAJOR reworking) they are written in Perl 4. Why would anyone want to run these in production? Cheers, Kevin -- [Writing CGI Applications with Perl - http://perlcgi-book.com] My PID is Inigo Montoya. You kill -9 my parent process. Prepare to vi. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
On Monday, May 13, 2002, at 09:21 , Camilo Gonzalez wrote:
[..]
The problems seem to be that it uses the Referer environmental variable to
exclude spammers and it gives the option of encoding data in the URL. I've
been told both are considered security risks. My ISP does not think even
the
latest release addresses these issues and refuses to let Formmail on its
servers.
[..]
in the main I have heard the same things - I can appreciate that
ISP's are at liberty to do as they will - I was just trying to
track down my exposure - given as our ISP is running v1.92
it could be that if one's ISP is doing a lot of virtual hosting
then the simplification of
@referers = ('wetware.com','199.108.16.17');
could get messy hence the following guard code:
sub check_url {
# Localize the check_referer flag which determines if user is
valid. local($check_referer) = 0;
# If a referring URL was specified, for each valid referer, make sure
#
# that a valid referring URL was passed to FormMail.
#
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
} else { $check_referer = 1; }
# If the HTTP_REFERER was invalid, send back an
error. if ($check_referer != 1)
{ error('bad_referer') }
}
is not sufficiently robust enough
where that code is preventing spamming is with:
@recipients = fill_recipients(@referers);
sub fill_recipients {
local(@domains) = @_;
local($domain,@return_recips);
foreach $domain (@domains) {
if ($domain =~ /^\d+\.\d+\.\d+\.\d+$/) {
$domain =~ s/\./\\\./g;
push(@return_recips,'^[\w\-\.]+\@\[' . $domain . '\]');
} else {
$domain =~ s/\./\\\./g;
$domain =~ s/\-/\\\-/g;
push(@return_recips,'^[\w\-\.]+\@' . $domain);
}
}
return @return_recips;
}
and I have tested this anti-spam piece - and the
only thing that survives is aimed where it is suppose to go.
As for 'using old perl' - I'm not sure that is an 'issue'? is it?
since this is running in a 5.6 environment.
or am I missing something here???
ciao
drieux
---
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
drieux wrote: or am I missing something here??? i think what you're missing is there's no point in trying to justify running any version of any of matt's code - use the drop in replacements at sourceforge or take the (quite unnecessary) risk. it's as simple as that. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sorta OT] Re: Matt Wright's formMail
On 5/13/02 10:49 AM, fliptop [EMAIL PROTECTED] wrote: i think what you're missing is there's no point in trying to justify running any version of any of matt's code - use the drop in replacements at sourceforge or take the (quite unnecessary) risk. it's as simple as that. Ok, I have a question now: What, exactly, started the vendetta that the entire Perl community seems to have against Matt's Script Archives? Is it the constant security concerns, or is there something else? At the moment, MSA at its worst doesn't seem nearly as bad as, say, Microsoft. I'm not trying to defend MSA, it's just that I've seen endless trash talked about it, and, being a relative newcomer to the Perl scene, I'm curious as to where it all started. Thanks, -- Michael -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
I must confess I'm not intimately familiar with the
script in question, so I don't completely understand
what the code snippet that drieux included does,
therefore how it is or is not sufficiently secure.
However, I have some more general comments in the way
of clarification.
It seems to me that the *fact* of using the referers
environment variable is not the security risk, but
that relying on it *only* is the risk. My introduction
to this issue was getting publicly flamed on perl
beginners last summer partially for not knowing this.
(Don't worry, the burns healed quickly.) Since then,
I've at least read enough to know that anyone with the
LWP module or any other HTTP API in any language can
build a web client with any referer header they want.
But I would think that means that using referers in
itself is not inherently dangerous, only thinking that
it's doing you any good security-wise is. The danger
that this ignorance makes possible depends on what the
rest of your script does with the input it gets.
Encoding data in the URL - well, all GET parameters
work that way, in the broadest definition of the term
data. The question is, what does the script *do*
with that data? As all good readers of the security
chapter of O'Reilly's CGI Programming with Perl
(among others) will know, the biggest security hole
with user input is when that data is used for input to
a shell process. Is that what Matt's script does? If
so, is the generally approved work-around one of the
two fix-ups recommended by that book: (1) filter the
input string to disallow bad characters such as
shell escapes, or better yet, (2) use a combination of
fork and exec rather simply opening a pipe to a
process? How does the NMS replacement code handle
this, and what do you all do in similar cases?
- John
--- drieux [EMAIL PROTECTED] wrote:
On Monday, May 13, 2002, at 09:21 , Camilo Gonzalez
wrote:
[..]
The problems seem to be that it uses the Referer
environmental variable to
exclude spammers and it gives the option of
encoding data in the URL. I've
been told both are considered security risks. My
ISP does not think even
the
latest release addresses these issues and refuses
to let Formmail on its
servers.
[..]
in the main I have heard the same things - I can
appreciate that
ISP's are at liberty to do as they will - I was just
trying to
track down my exposure - given as our ISP is running
v1.92
it could be that if one's ISP is doing a lot of
virtual hosting
then the simplification of
@referers = ('wetware.com','199.108.16.17');
could get messy hence the following guard code:
sub check_url {
# Localize the check_referer flag which
determines if user is
valid.local($check_referer) = 0;
# If a referring URL was specified, for each
valid referer, make sure
#
# that a valid referring URL was passed to
FormMail.
#
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~
m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
} else { $check_referer = 1; }
# If the HTTP_REFERER was invalid, send back
an
error.if ($check_referer != 1)
{ error('bad_referer') }
}
is not sufficiently robust enough
where that code is preventing spamming is with:
@recipients = fill_recipients(@referers);
sub fill_recipients {
local(@domains) = @_;
local($domain,@return_recips);
foreach $domain (@domains) {
if ($domain =~ /^\d+\.\d+\.\d+\.\d+$/) {
$domain =~ s/\./\\\./g;
push(@return_recips,'^[\w\-\.]+\@\[' .
$domain . '\]');
} else {
$domain =~ s/\./\\\./g;
$domain =~ s/\-/\\\-/g;
push(@return_recips,'^[\w\-\.]+\@' .
$domain);
}
}
return @return_recips;
}
and I have tested this anti-spam piece - and the
only thing that survives is aimed where it is
suppose to go.
As for 'using old perl' - I'm not sure that is an
'issue'? is it?
since this is running in a 5.6 environment.
or am I missing something here???
ciao
drieux
---
--
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
=
When you're following an angel, does it mean you have to throw your body off a
building? - They Might Be Giants, http://www.tmbg.com
Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html
__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Matt Wright's formMail
After a quick perusal it seems the replacement form's greatest contribution
seems to be to limit the number of recipients that may be emailed at any one
time. There seem to a number of other improvements and it looks like the
code is updated more to what is recommended here. I do understand the
objections to Matt's style, after all he wrote this stuff when he was just
14 and Perl has come a long way since then. I don't share the animosity,
after all he has done a great deal to popularize Perl. It's just too bad he
did it with poor code and continues to write bad code.
-Original Message-
From: John Brooking [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 13, 2002 3:53 PM
To: cgi
Subject: Re: Matt Wright's formMail
I must confess I'm not intimately familiar with the
script in question, so I don't completely understand
what the code snippet that drieux included does,
therefore how it is or is not sufficiently secure.
However, I have some more general comments in the way
of clarification.
It seems to me that the *fact* of using the referers
environment variable is not the security risk, but
that relying on it *only* is the risk. My introduction
to this issue was getting publicly flamed on perl
beginners last summer partially for not knowing this.
(Don't worry, the burns healed quickly.) Since then,
I've at least read enough to know that anyone with the
LWP module or any other HTTP API in any language can
build a web client with any referer header they want.
But I would think that means that using referers in
itself is not inherently dangerous, only thinking that
it's doing you any good security-wise is. The danger
that this ignorance makes possible depends on what the
rest of your script does with the input it gets.
Encoding data in the URL - well, all GET parameters
work that way, in the broadest definition of the term
data. The question is, what does the script *do*
with that data? As all good readers of the security
chapter of O'Reilly's CGI Programming with Perl
(among others) will know, the biggest security hole
with user input is when that data is used for input to
a shell process. Is that what Matt's script does? If
so, is the generally approved work-around one of the
two fix-ups recommended by that book: (1) filter the
input string to disallow bad characters such as
shell escapes, or better yet, (2) use a combination of
fork and exec rather simply opening a pipe to a
process? How does the NMS replacement code handle
this, and what do you all do in similar cases?
- John
--- drieux [EMAIL PROTECTED] wrote:
On Monday, May 13, 2002, at 09:21 , Camilo Gonzalez
wrote:
[..]
The problems seem to be that it uses the Referer
environmental variable to
exclude spammers and it gives the option of
encoding data in the URL. I've
been told both are considered security risks. My
ISP does not think even
the
latest release addresses these issues and refuses
to let Formmail on its
servers.
[..]
in the main I have heard the same things - I can
appreciate that
ISP's are at liberty to do as they will - I was just
trying to
track down my exposure - given as our ISP is running
v1.92
it could be that if one's ISP is doing a lot of
virtual hosting
then the simplification of
@referers = ('wetware.com','199.108.16.17');
could get messy hence the following guard code:
sub check_url {
# Localize the check_referer flag which
determines if user is
valid.local($check_referer) = 0;
# If a referring URL was specified, for each
valid referer, make sure
#
# that a valid referring URL was passed to
FormMail.
#
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~
m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
} else { $check_referer = 1; }
# If the HTTP_REFERER was invalid, send back
an
error.if ($check_referer != 1)
{ error('bad_referer') }
}
is not sufficiently robust enough
where that code is preventing spamming is with:
@recipients = fill_recipients(@referers);
sub fill_recipients {
local(@domains) = @_;
local($domain,@return_recips);
foreach $domain (@domains) {
if ($domain =~ /^\d+\.\d+\.\d+\.\d+$/) {
$domain =~ s/\./\\\./g;
push(@return_recips,'^[\w\-\.]+\@\[' .
$domain . '\]');
} else {
$domain =~ s/\./\\\./g;
$domain =~ s/\-/\\\-/g;
push(@return_recips,'^[\w\-\.]+\@' .
$domain);
}
}
return @return_recips;
}
and I have tested this anti-spam piece - and the
only thing that survives is aimed where it is
suppose to go.
As for 'using old perl' - I'm
Re: [sorta OT] Re: Matt Wright's formMail
Michael Kelly wrote: Ok, I have a question now: What, exactly, started the vendetta that the entire Perl community seems to have against Matt's Script Archives? Is it the constant security concerns, or is there something else? there is no vendetta that i know of. the nms project at sourceforge provides drop-in replacements for all of matt's scripts. read the nms page at http://nms-cgi.sourceforge.net. does it sound like a bitter quarrel? i don't think so. it's simply a way to get reliable, secure open-source code that works in perl 5.004, uses no standard modules and drops in place of matt's code. sounds more like a solution than a vendetta. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [sorta OT] Re: Matt Wright's formMail
Ack.. I used to have a nice long, detailed reason why (I think I may have sent it to someone on this list at some point who asked me the same question). To sum up.. Matts code is bad. It has various security holes, is not maintained, and is in Perl 4. The 'vendetta' has come from years of him NOT removing his scripts from the internet (spreading cargo-cult programming), and not updating them accordingly. When someone is new to Perl (like yourself) you may just say Hey, here are some free scripts I can use! YAY! and not know they are outdated, poorly programmed, barely supported, and are know to have recurring security issues. As well, his code should not be used by beginners to learn how to program in Perl. Instead, it should be (and is) used in talks of what not to do. Many of us in the Perl community have repeatedly asked him to either rewrite his code fully, or simply remove it from his site. He has, each time, either ignored or flatly refused to do so. This is why NMS was finally started. So, it is the security concerns, as well as the others I mentioned. Someone else may even have a few I have forgotten. I hope this answers your question :) BTW folks, please do not turn this into an ever-going Matt bashing thread.. or I will be forced to close it (trying to be preventative here). Cheers, Kevin On Mon, May 13, 2002 at 01:45:06PM -0700, Michael Kelly ([EMAIL PROTECTED]) said something similar to: Ok, I have a question now: What, exactly, started the vendetta that the entire Perl community seems to have against Matt's Script Archives? Is it the constant security concerns, or is there something else? At the moment, MSA at its worst doesn't seem nearly as bad as, say, Microsoft. I'm not trying to defend MSA, it's just that I've seen endless trash talked about it, and, being a relative newcomer to the Perl scene, I'm curious as to where it all started. Thanks, -- Michael -- [Writing CGI Applications with Perl - http://perlcgi-book.com] All people have the right to be stupid, some people just abuse it! -- Frank Zappa -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
Just to throw jet fuel on the fire... cuz they come up on a google search for: cgi perl counter and nms doesn't! :) Seriously, I do use them (ok, did until now) because they're handy, don't spew errors and I can understand the code. Now that I know they have problems, probably not anymore... 'course I need to look over the nms scripts to see what I need to do to make them mine but... :-D Just for the record, when I started using MSA, over 4 years ago nms didn't exist and I used them for the reasons listed above. I was a sysadmin, am a sysadmin and my job isn't to audit every stick of code in the world... It's to run systems as securly as possible. Until I hear something about a serious deficit in a chunk of code, I use it. If the problem is simply that the code is considered old and crufty... well, on that basis; Do I really need to say it? Kevin Meltzer wrote: On Mon, May 13, 2002 at 09:14:03AM -0700, drieux ([EMAIL PROTECTED]) said something similar to: which version of the code is the 'problem' version? what is the current specific 'security' issue? there was a security update to v1.92 on 04/21/02 has there been some new issue arise??? since then? Does it matter? They are scripts by Matt.. recurring security issues, and (unless he has done some MAJOR reworking) they are written in Perl 4. Why would anyone want to run these in production? Cheers, Kevin -- [Writing CGI Applications with Perl - http://perlcgi-book.com] My PID is Inigo Montoya. You kill -9 my parent process. Prepare to vi. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
Heya, On Mon, May 13, 2002 at 04:42:55PM -0700, Bruce Ferrell ([EMAIL PROTECTED]) said something similar to: Just to throw jet fuel on the fire... cuz they come up on a google search for: cgi perl counter and nms doesn't! :) And that is one of the problems some in the community have had with Matt :) People put that type of search in, see those scripts, and use them. He has been asked to remove his scripts and point to other, similar, scripts which have been OK'd by the community at large. But, he hasn't. I have emailed him no less than half a dozen times myself, all ignored. But, luckily y'all have this list to enlighten you :) Just for the record, when I started using MSA, over 4 years ago nms didn't exist and I used them for the reasons listed above. I was a sysadmin, am a sysadmin and my job isn't to audit every stick of code in the world... It's to run systems as securly as possible. Until I hear something about a serious deficit in a chunk of code, I use it. I'm well aware of how sysadmins just use code they find :) Part of my living is made from fixing/re-writing such code. I think this is a greater problem with many IT people.. blindly using code which they don't understand. When you have the source, and you don't understand it, people should use lists, newsgroups and peers to have someone review it to see if it is really acceptable production code. But, hey.. I live in a fantasy world where production code is reviewed, tested, portable, and uses common practices :) Cheers, Kevin (from Kevtopia) Kevin Meltzer wrote: On Mon, May 13, 2002 at 09:14:03AM -0700, drieux ([EMAIL PROTECTED]) said something similar to: which version of the code is the 'problem' version? what is the current specific 'security' issue? there was a security update to v1.92 on 04/21/02 has there been some new issue arise??? since then? Does it matter? They are scripts by Matt.. recurring security issues, and (unless he has done some MAJOR reworking) they are written in Perl 4. Why would anyone want to run these in production? Cheers, Kevin -- [Writing CGI Applications with Perl - http://perlcgi-book.com] BASIC is the Computer Science equivalent of `Scientific Creationism'. -- BSD fortune file -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
