Bugtraq mailing list archives
Re: perl fingerd stupidity
From: gbacon () CRP-201 ADTRAN COM (Greg Bacon)
Date: Fri, 1 Aug 1997 08:30:03 -0500
If that fingerd were run with taint checks on (i.e. #! perl -T), then it wouldn't be such a huge hole. A better way to have done it would be something like: #! /usr/bin/perl -T require 5; # if you don't have it, upgrade already! :-) $ENV{PATH} = join ":", qw( /bin /usr/bin ); $user = <STDIN>; chomp $user; if (-e "/usr/lib/finger/$user") { system "perl", "/usr/lib/finger/$user"; } else { system "perl", "/usr/lib/finger/default", $user; } Note that passing a list to system (or exec) bypasses the shell, so even if $user eq 'foo; rm -rf /', there is no danger as far as this script is concerned (it all depends on what those scripts in /usr/lib are doing with their arguments). (If you're still wondering about taint checks, -T is just an instruction to perl telling it that it shouldn't let data from the outside world come in and be a part of operations that affect the outside world without first being subject to a thorough looking over.) Greg -- open(G,"|gzip -dc");$_=<<EOF;s/[0-9a-f]+/print G pack("h*",$&)/eg f1b88000b620f22320303fa2d2e21584ccbcf29c84d2258084 d2ac158c84c4ece4d22d1000118a8d5491000000 EOF
Current thread:
- Re: perl fingerd stupidity Greg Bacon (Aug 01)