-- vuln1.html - The submission form -- 
Thankyou for visiting my site. Please submit your comments and suggestions here: 

-- EOF -- 
-- vuln1.pl - The vulnerable perl script -- 
#!/usr/bin/perl 
# Output will be an html page 
print "Content-type: text/html\n\n"; 
# Get input from form into the @pairs array 
@pairs = split(/&/, $ENV{'QUERY_STRING'}); 
# For each name/value pair in the array foreach 
$pair (@pairs) { 
# Split the pair into their own variables 
($name, $value) = split(/=/, $pair); 
# Convert the form-encoding back 
$name =~ tr/+/ /; 
$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; 
$value =~ tr/+/ /; 
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; 
# Store the destination email address and comments in variables 
if ($name eq "address") {
# Store the destination email
address $address = $value; }
elsif ($name eq "comments") { 
# Store the comments 
$comments = $value; } } 
# At this point $address holds the address specified on the form, and 
# $comments holds the user's comments. 
# --- "Active" part 
# See discussion for details of this part 
open(MAIL,"| /bin/mail $address"); 
print MAIL "$comments"; 
close(MAIL); 
# --- End of "active" part 
# Print output for the user print  Thanks for your comments
EOT-- EOF -- 

-- vuln2.shtml - A public comments page -- 
Thankyou for visiting my site. Please submit your comments and suggestions here: 

Here's what other people have had to say: 
-- EOF -- 
-- vuln2.pl - The vulnerable perl script -- 
#!/usr/bin/perl 
# Define the location of the page to be updated 
# Change this to the location of vuln2.shtml if you're trying this out 
$pagename = "/home/web/html/vuln2.shtml"; 
# Print content-type header 
print "Content-type: text/html\n\n"; 
# Get input from form into the @pairs array 
@pairs = split(/&/, $ENV{'QUERY_STRING'}); 
# For each name/value pair in the array foreach 
$pair (@pairs) { 
# Split the pair into their own variables 
($name, $value) = split(/=/, $pair); 
# Convert the form-encoding back 
$name =~ tr/+/ /; 
$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; 
$value =~ tr/+/ /; 
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; 
# Store the comments in a variable 
if ($name eq "comments") { 
# Store the comments 
$comments = $value; } } 
# At this point $comments holds the user's comments. 
# Separate each comment in the output file 
$comments .= "\n \n"; 
# --- "Active" part # Open the file for read/write 
open(FILE,"+; 
# Search through the array and insert the comments just before the #  
line $linenum = 1; 
foreach $line (@list) { if ($line =~ /^/) { $linenum--; 
splice(@list, $linenum, 0, $comments); 
last; } 
$linenum++; } 
# Write the array back to the file 
seek(FILE,0,0); 
truncate(FILE,0); 
foreach $line (@list) { print FILE $line; } 
# Close the file 
close(FILE); 
# --- End "active" part 
# Print output for the user print  Thanks for your comments. Click here to return to the comments page
EOT -- EOF --