| Subject: | Arbitrary command execution, probably |
Username and password are not handled securely. Both passed by the
client and should be considered tainted. (The password is only an attack
vector when not using a passfile.)
You do this:
$cmd = "$program '$username' '$password' ";
$cmd .= join(' ', @args);
my @output = `$cmd`;
Consider doing this instead:
open(my $fh, "-|", $program, $username, $password, @args)
or die "$program: $!\n";
my @output = <$fh>;
close $fh;
Another option would be to provide the program with the username and
password on STDIN. On some systems this is also more secure than putting
the password in a temporary file.