[rt-users] Web interface for clients

Swayne, Mark A mark.a.swayne at xo.com
Wed Feb 27 20:09:38 EST 2002


I would recommend that you avoid using the script mentioned below.

I took a look at the script and I didn't see anything I knew how to exploit,
but I saw some things that make me suspicious:
1. Taint checking is not enabled.  You should *always* enable taint checking
for CGIs.
2. The strict pragma is not used.  Generally speaking, abiding by the
restrictions strict mode enforces, makes for better, more robust code.
Unless you are Damian Conway, use strict.
3. This script parses CGI arguments itself, instead of using CGI.pm.  CGI.pm
is part of the standard distribution, and is well tested.  Parsing CGI input
is not as trivial as it seems.
4. Warnings aren't enabled.  While running with warnings enabled does have a
slight speed impact, if you're running this code, you're not Yahoo!.  If the
code can't run without generating warnings, you should fix it.

If you want to know more about these issues, visit http://perlmonks.org/ and
search for 'use strict' 'use CGI'.

Several people here have stated their opinions of MSA:
http://perlmonks.org/index.pl?lastnode_id=3989&node_id=27967
http://perlmonks.org/index.pl?lastnode_id=104167&node_id=104159

And this thread mentions the form mailer by name:
http://perlmonks.org/index.pl?lastnode_id=93757&node_id=93731

And finally a thread all about form mailer:
http://perlmonks.org/index.pl?lastnode_id=3989&node_id=102758

Also read perlsec.
http://www.perldoc.com/perl5.6.1/pod/perlsec.html

Let's be careful out there.
--Mark


-----Original Message-----
From: Tom Holub [mailto:tom at LS.Berkeley.EDU]
Sent: Wednesday, February 27, 2002 2:32 PM
To: francisv at dagupan.com
Cc: rt-users at lists.fsck.com
Subject: Re: [rt-users] Web interface for clients


On Tue, Feb 26, 2002 at 05:04:08PM +0800, francisv at dagupan.com wrote:
> Hi,
> 
> Is it possible to integrate RT to an existing web form where clients can
> select which issues they want to report besides using the e-mail? Here's
the
> scenario:
> 
> Web form -> client selects issue, describes problem, enters e-mail & other
> contact information -> client clicks submit report -> server accepts
> request, checks for required fields -> sends e-mail to RT -> RT responds
to
> client by sending back the trouble ticket

You should be able to do this with a simple web form, and something like
the formmail.pl script from Matt's Script Archive.  
<http://worldwidemart.com/scripts/formmail.shtml>

-- 
Tom Holub (tom_holub at LS.Berkeley.EDU, 510-642-9069)
College of Letters & Science
249 Campbell Hall

_______________________________________________
rt-users mailing list
rt-users at lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users




More information about the rt-users mailing list