Full Disclosure mailing list archives
Re: Re: Format String Vulnerabilities in Perl Programs
From: "Steven M. Christey" <coley () linus mitre org>
Date: Sun, 4 Dec 2005 01:49:25 -0500 (EST)
It was mentioned this week, but not in my paper, so it didn't hurt for it to be mentioned again :) - Steve On Sun, 4 Dec 2005, Stan Bubrouski wrote:
On 12/3/05, Michael J. Pomraning <mjp () securepipe com> wrote: <SNIP>For Perl projects, I'd also nominate syslog(), from the standard Sys::Syslog module, for special attention. It's common in *NIX environments regardless of programmers' backgrounds and is extremely likely to be called with untrusted data interpolated directly in the format string argument -- syslog("info", "A user said $user_input"), for example.This has been mentioned numerous times, including this week (?), nothing new. -sb
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Format String Vulnerabilities in Perl Programs Steven M. Christey (Dec 02)
- Re: Format String Vulnerabilities in Perl Programs Michael J. Pomraning (Dec 03)
- Re: Re: Format String Vulnerabilities in Perl Programs Stan Bubrouski (Dec 03)
- Re: Re: Format String Vulnerabilities in Perl Programs Steven M. Christey (Dec 04)
- Re: Re: Format String Vulnerabilities in Perl Programs Stan Bubrouski (Dec 03)
- Re: Format String Vulnerabilities in Perl Programs Chris Umphress (Dec 03)
- Re: Format String Vulnerabilities in Perl Programs Steven M. Christey (Dec 04)
- Re: Format String Vulnerabilities in Perl Programs Michael J. Pomraning (Dec 03)