Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: perl-cgi hole in UltimateBB by Infopop Corp.

From: mckinnon () ISIS2000 COM (Bill McKinnon)
Date: Wed, 16 Feb 2000 09:06:47 -0700

On Tue, 15 Feb 2000, Andrew Danforth wrote:


On Mon, 14 Feb 2000, Bill wrote:


   Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
from doing anything harmful, as well?


Not really.  Consider the following snippet:

open PASSWD, '< /etc/passwd';
$var = '&PASSWD'; # also try $var = '&3';
open IN, "< $var";
print while (<IN>);

Perl's open will dup other file descriptors if < is followed by &.  This
isn't as potentially problematic as forking commands, but there may be
circumstances where someone could dup a filehandle and cause your script
to behave strangely/output sensitive information/etc.

Andrew


   Interesting. And for the curious, this doesn't seem to be noticed by
Perl's tainting mechanism, unless I'm misunderstanding something:

$ perl -T - '&PW'
open(PW, "/etc/passwd") or die "open(): $!\n";

$var = shift;

open(FH, "< $var") or die "open(): $!\n";

print <FH>;

(hit CTRL D here)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
...
etc

   Anyway, this is probably getting off topic...

- Bill
Previous By Date Next
Previous By Thread Next

Current thread: