You are asked to improve the security in the CGI handler script used to send comments to the Web master of your server. The current script in use is shown in Figure 11.10a, with the associated form shown in Figure 11.10b. Identify some security deficiencies present in this script. Detail what steps are needed to correct them, and design an improved version of this script.

Figure 11.10a:

#! /usr/bin/perl

# comment.cgi send comment to webmaster

# specify recipient of comment email

$to = webmaster;

use CGI;

use CGI::Carp qw(fatalsToBrowser);

$q = new CGI; # create query object

# display HTML header

print $q->header,

$q->start_html(Comment Sent),

$q->h1(Comment Sent)

# retrieve form field values and send comment to webmaster

$subject = $q->param(subject);

$from = $q->param(from);

$body = $q->param(body);

# generate and send comment email

System (export REPLYTO=\$from\; echo \$body\ | mail -s \$subject\ $to);

# indicate to user that email was sent

print Thankyou for your comment on $subject.;

print This has been sent to $to.;

# display HTML footer

print $q->end_html;

Figure 11.10b:

Send a Comment

kb>Subject of this comment: Your Email Address Please enter comments here:

Kinput type-"reset" value-"Clear Form">

x/html> ue-"">

Send a Comment

kb>Subject of this comment: Your Email Address Please enter comments here:

Kinput type-"reset" value-"Clear Form">

x/html> ue-"">