Vulnerability Development mailing list archives
Re: PERL's -e check
From: Adam Prato <sirsyko () MERGIOO ISHIBOO COM>
Date: Mon, 25 Dec 2000 23:29:53 -0800
On Sun, Dec 24, 2000 at 07:11:40PM -0500, Joe Testa wrote:
Hi all -- I've noticed here and there that some PERL scripts pass user input directly into an open() call protected by a "-e" check. Example: # $temp_file is taken from the submitted form if(-e $temp_file) { open(TEMP, "<$temp_file"); ... } Is there any trick that would bypass the "-e"? Thanks in advance. - Joe Testa P.S. Greets to @stake and the cDc.
all this does is open a filehandle (TEMP) based on the filename stored in $temp_file if it exists (checked by the -e test operator)... The standard ways to "defeat" this is symlink the file stored in $tempfile to a different file on the system. Thus if the script runs with elevate privileges, you could access data accessible by the elevated privileges. Beyond this, I'm at a loss for what you are trying to accomplish. What do you mean that "PERL scripts pass user input direclty into an open call 'protected by a -e check'? This doesnt make much sense. Are you saying that some perl scripts (assuming you mean a cgi) takes user input and writes the user input to a filehandle? The "-e" does nothing to 'protect' this. And the only trick to "bypass" the -e test operator is to first create the file its looking for somehow (since -e checks to see if a file exists). <ss>
Current thread:
- PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Adam Prato (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 26)
- Re: PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 28)
- Re: PERL's -e check Juergen P. Meier (Dec 26)
- Re: PERL's -e check Pavel Kankovsky (Dec 27)