0

This is sitting in my web site's cgi-bin. Should I be concerned about it?

    #!/usr/bin/perl

print <<HTML;
Content-type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html">
<link rel="stylesheet" type="text/css" href="../../css/style.css">
</head>
<body>
<table cellspacing="0" cellpadding="0" border="0">
<tr class="subhead" align="Left"><th>Name</th><th>Value</th></tr>
HTML

my $class;

foreach (sort keys %ENV) {
    next unless /^HTTP_|^REQUEST_/;
    $class = ($class ne 'normal')? 'normal': 'alt';
    print <<HTML;
<tr class="$class"><td valign="top">$_</td><td>$ENV{$_}</td></tr>
HTML
}

print <<HTML;
</table>
</body>
</html>
HTML
binaryorganic
  • 5,901
  • 4
  • 17
  • 19

2 Answers2

9

It looks like it goes through and makes an HTML table out of all of your environmental variables.

Would you consider that nefarious? I'd consider anything that I didn't put on my own server to be nefarious, but that's me.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
4

Looking at the code, it appears to be decidedly naive (it would be possible to use it to leverage an attack) however it doesn't appear to have been written for that purpose.

However if the code is on your website and you don't know why / how it got there nor what function it serves, then you shouldn't even have to ask us before removing it!

symcbean
  • 19,931
  • 1
  • 29
  • 49