Bugtraq mailing list archives
Re: majordomo local exploit
From: henrik () EDLUND ORG (Henrik Edlund)
Date: Wed, 29 Dec 1999 16:20:38 +0100
- -snip- # If the first argument is "@filename", read the real arguments # from "filename", and shove them onto the ARGV for later processing # by &Getopts() # if ($ARGV[0] =~ /^\@/) { $fn = shift(@ARGV); $fn =~ s/^@//; open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped"); - -snip-
This security problem is as common as Perl scripts. Perl programmers should always specify for open what they want to do (read/write) and just not be lazy and skip that when they want to read. A simple fix like: open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped"); should fix this problem. As we specify that we are reading by using the < (less than) the script will simple choke and say that it can't open the filename starting with a | (pipe), instead of running the filename. There is no need, I believe, to use the sysopen function as someone else suggested earlier. I believe this security hole has been covered in some other advisory concerning all Perl (especially CGI) scripts. -- Henrik Edlund http://www.edlund.org/ "They were in the wrong place at the wrong time. Naturally they became heroes." Leia Organa of Alderaan, Senator
Current thread:
- Re: majordomo local exploit Henrik Edlund (Dec 29)
- Re: majordomo local exploit Jefferson Ogata (Dec 29)
- AltaVista followup and monitor script Edward Glowacki (Dec 29)
- Re: majordomo local exploit Chip Salzenberg (Dec 29)
- UnixWare rtpm exploit + discussion Brock Tellier (Dec 30)
- Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT Ussr Labs (Dec 30)
- PC-Cillin 6.x DoS Attack Daniel P. Stasinski (Dec 30)
- Analysis of "stacheldraht" Dave Dittrich (Dec 30)
- Re: Analysis of "stacheldraht" Jordan Ritter (Dec 31)
- Re: Analysis of "stacheldraht" Dave Dittrich (Dec 31)
- Re: Analysis of "stacheldraht" Jordan Ritter (Dec 31)