In my text file, the column that has the search phrase has a whole header for what looks like several test emails, including a BCC for what looks like a legit aol address.
Now, if this script actually emailed anything, I might be worried, but it doesn't so I can't figure out what they are trying to do.
I added a line of code that causes the script to die when the @ sign is in the search phrase, but I am worried that I am missing something here. Is there anything else they could do with this script? Or am I dealing with a really dumb hack?
for(... # loop to parse form input pairs
....
if($value=~m/[^a-zA-Z0-9]/) {die... "bla, bla"};
...
}#end of loop
Add too the regular expression some other char-s if needed (like underscore, etc.)
my $searchstring = quotemeta(param('searchstring'));
where param('searchstring') is the input for the form.
or you could use the \Q..\E sequence in your regexps:
if ($text_to_search =~ /\Q$searchstring\E/) {
...
}
this will allow you to pretty safely permit all characters in a search. Also, make sure to escape html tags before printing results back to the screen. Otherwise, stuff like javascript (and just regular html code) can be inserted into a searchstring and will be executed by the browser upon display of the results.
A good basic search script can be found here:
scroll down to "Simple Search". It takes care of most of the security issues for you, like it uses the -T switch, it escapes html and plenty of other stuff you may not even be aware is possible. It also uses CGI.pm to prevent file uploads and limit the data sent to the server. I suggest you at least look at it if you can't use it.
As far as your sepcific problem, it is a nuisance. Seems plenty of people try to exploit CGI scripts and see what they can cause to happen, either send spam or just throw a wrench into your server, or worse. So security is always a concern for all CGI scripts.
