Re: execution inside of Perl reg ex?

[rpc <h () ckz org>]

Hi,

I don't believe there is a way to use (?{}) without playing by Perl's rules. If
you take a look at regcomp.c in the perl source tree, you'll see that it
performs this check on the first pass, while still identifying which regular
expression symbols are present.

--rpc


On Fri, 29 Dec 2000 15:04:52 -0600, Cypher said:

> hello -
>
>  I have a question relating to executing code inside of a Win32 Perl
>  regular expression. I am trying to find a vulnerability in a CGI program
>  of unknown origin named search.pl (to which I, unfortunately, do not have
>  the source).  The CGI does not do any error checking on input characters
>  which are, presumably, passed into a reg ex. For example, when I input:
>
>  (?{print"hello";})
>
>  or anything else in (?{...}) format, I get the following error:
>
>  CGI Error
>  The specified CGI application misbehaved by not returning a complete set
>  of HTTP headers. The headers it did return are:
>
>  /(?{print"hello";})/: Eval-group not allowed at runtime, use re 'eval' at
>  D:\Inetpub\cgi-bin\search.pl line 261.
>
>
>  My question is, does anyone know of any other ways to execute code in a
>  reg ex?  Or, and this is an even longer shot, is there anyway of fooling
>  Perl into ignoring the fact that use re 'eval' has not been specified?
>  Also, the program must split on a space, since inputting
>
>  (?{print "hello";})
>
>  causes search.pl to return the following error:
>
>  /(?{print/: Sequence (?{...}) not terminated or not {}-balanced at
>  D:\Inetpub\cgi-bin\search.pl line 261
>
>
>  Any ideas? Also, does anyone know of any good Perl hacking/security pages?
>  I have searched quite a bit, but have not been able to find anything
>  useful. thanks -
>
>       /d