Bugtraq mailing list archives
Re: majordomo local exploit
From: jogata () NODC NOAA GOV (Jefferson Ogata)
Date: Wed, 29 Dec 1999 21:24:58 -0500
Henrik Edlund wrote: [majordomo Perl vulnerability discussion snipped]
This security problem is as common as Perl scripts. Perl programmers should always specify for open what they want to do (read/write) and just not be lazy and skip that when they want to read. A simple fix like: open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped"); should fix this problem. As we specify that we are reading by using the < (less than) the script will simple choke and say that it can't open the filename starting with a | (pipe), instead of running the filename. There is no need, I believe, to use the sysopen function as someone else suggested earlier. I believe this security hole has been covered in some other advisory concerning all Perl (especially CGI) scripts.
Perl programmers should always use the taint flag (-T), full warnings (-w), and the strict module, and just not be lazy, period! These should be considered mandatory in code that will be distributed as part of any automated system, regardless of setuid execution. With taint enabled, the programmer would have had to define the allowable range of arguments by untainting them, and this problem would not exist. Taint is there. Use it! Reliance on filename semantics for security is not the Proper Way. Also, require 5.004_05 or newer. Unfortunately, 5.004_04 has a somewhat obscure taint bug. Happy new year! -- Jefferson Ogata <jogata () nodc noaa gov> National Oceanographic Data Center You can't step into the same river twice. -- Herakleitos
Current thread:
- Re: majordomo local exploit Henrik Edlund (Dec 29)
- Re: majordomo local exploit Jefferson Ogata (Dec 29)
- AltaVista followup and monitor script Edward Glowacki (Dec 29)
- Re: majordomo local exploit Chip Salzenberg (Dec 29)
- UnixWare rtpm exploit + discussion Brock Tellier (Dec 30)
- Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT Ussr Labs (Dec 30)
- PC-Cillin 6.x DoS Attack Daniel P. Stasinski (Dec 30)
- Analysis of "stacheldraht" Dave Dittrich (Dec 30)
- Re: Analysis of "stacheldraht" Jordan Ritter (Dec 31)
- Re: Analysis of "stacheldraht" Dave Dittrich (Dec 31)
- Re: Analysis of "stacheldraht" Jordan Ritter (Dec 31)