Bugtraq mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: bsides () TOWERY COM (Brock Sides)
Date: Thu, 17 Feb 2000 10:33:07 -0600
On Wed, 16 Feb 2000, Bill McKinnon wrote:
Not really. Consider the following snippet: open PASSWD, '< /etc/passwd'; $var = '&PASSWD'; # also try $var = '&3'; open IN, "< $var"; print while (<IN>); Perl's open will dup other file descriptors if < is followed by &. This isn't as potentially problematic as forking commands, but there may be circumstances where someone could dup a filehandle and cause your script to behave strangely/output sensitive information/etc.
Interesting. And for the curious, this doesn't seem to be noticed by Perl's tainting mechanism, unless I'm misunderstanding something: $ perl -T - '&PW' open(PW, "/etc/passwd") or die "open(): $!\n"; $var = shift; open(FH, "< $var") or die "open(): $!\n"; print <FH>; (hit CTRL D here) root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: ... etc
Perl's tainting mechanism only comes into play if you are invoking a external command in some way: via system, exec, backticks, or opening a filehandle to or from a pipe. For example, #!/usr/bin/perl -w -T open(PW, "<$ARGV[0]") or die $!; print <PW>; __END__ will run without complaint, as long as the filename you pass it in $ARGV[0] is readable. However, #!/usr/bin/perl -w -T $ENV{PATH}=''; # we need a safe path $ENV{BASH_ENV}=''; # and a safe bash env open(PW, "/bin/cat $ARGV[0] |") or die $!; print <PW>; __END__ which does the same thing, will die with a "Insecure dependency in piped open while running with -T switch" error. -- Brock Sides Unix Systems Administration Towery Publishing bsides () towery com
Current thread:
- perl-cgi hole in UltimateBB by Infopop Corp. Sergei A. Golubchik (Feb 11)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore (Feb 14)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Charles Capps (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Michael Wood (Feb 15)
- Remote Vulnerability in the MMDF SMTP Daemon NAI Labs (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill (Feb 14)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill McKinnon (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 17)
- AUTORUN.INF Vulnerability Eric Stevens (Feb 17)
- Re: AUTORUN.INF Vulnerability Jesper M. Johansson (Feb 18)
- UPDATED: NetBSD Security Advisory 2000-001 Daniel Carosone (Feb 18)
- Re: AUTORUN.INF Vulnerability Nick FitzGerald (Feb 19)
- Re: AUTORUN.INF Vulnerability Valentin Pletzer (Feb 20)
- MMDF Ran Atkinson (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bennett Todd (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Dennis Taylor (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore (Feb 14)