Bugtraq mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: mckinnon () ISIS2000 COM (Bill McKinnon)
Date: Wed, 16 Feb 2000 09:06:47 -0700
On Tue, 15 Feb 2000, Andrew Danforth wrote:
On Mon, 14 Feb 2000, Bill wrote:Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc from doing anything harmful, as well?Not really. Consider the following snippet: open PASSWD, '< /etc/passwd'; $var = '&PASSWD'; # also try $var = '&3'; open IN, "< $var"; print while (<IN>); Perl's open will dup other file descriptors if < is followed by &. This isn't as potentially problematic as forking commands, but there may be circumstances where someone could dup a filehandle and cause your script to behave strangely/output sensitive information/etc. Andrew
Interesting. And for the curious, this doesn't seem to be noticed by Perl's tainting mechanism, unless I'm misunderstanding something: $ perl -T - '&PW' open(PW, "/etc/passwd") or die "open(): $!\n"; $var = shift; open(FH, "< $var") or die "open(): $!\n"; print <FH>; (hit CTRL D here) root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: ... etc Anyway, this is probably getting off topic... - Bill
Current thread:
- perl-cgi hole in UltimateBB by Infopop Corp. Sergei A. Golubchik (Feb 11)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore (Feb 14)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Charles Capps (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Michael Wood (Feb 15)
- Remote Vulnerability in the MMDF SMTP Daemon NAI Labs (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill (Feb 14)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill McKinnon (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 17)
- AUTORUN.INF Vulnerability Eric Stevens (Feb 17)
- Re: AUTORUN.INF Vulnerability Jesper M. Johansson (Feb 18)
- UPDATED: NetBSD Security Advisory 2000-001 Daniel Carosone (Feb 18)
- Re: AUTORUN.INF Vulnerability Nick FitzGerald (Feb 19)
- Re: AUTORUN.INF Vulnerability Valentin Pletzer (Feb 20)
- MMDF Ran Atkinson (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bennett Todd (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Dennis Taylor (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore (Feb 14)