Re: majordomo local exploit

[jogata () NODC NOAA GOV (Jefferson Ogata)]

Henrik Edlund wrote:
[majordomo Perl vulnerability discussion snipped]
> This security problem is as common as Perl scripts. Perl
> programmers should always specify for open what they want to do
> (read/write) and just not be lazy and skip that when they want to
> read. A simple fix like:
>
> open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped");
>
> should fix this problem. As we specify that we are reading by
> using the < (less than) the script will simple choke and say that
> it can't open the filename starting with a | (pipe), instead of
> running the filename. There is no need, I believe, to use the
> sysopen function as someone else suggested earlier.
>
> I believe this security hole has been covered in some other
> advisory concerning all Perl (especially CGI) scripts.

Perl programmers should always use the taint flag (-T), full warnings (-w), and
the strict module, and just not be lazy, period! These should be considered
mandatory in code that will be distributed as part of any automated system,
regardless of setuid execution. With taint enabled, the programmer would have
had to define the allowable range of arguments by untainting them, and this
problem would not exist.

Taint is there. Use it! Reliance on filename semantics for security is not the
Proper Way.

Also, require 5.004_05 or newer. Unfortunately, 5.004_04 has a somewhat obscure
taint bug.

Happy new year!

--
Jefferson Ogata <jogata () nodc noaa gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos