Bugtraq mailing list archives

Re: perl-cgi hole in UltimateBB by Infopop Corp.

From: mckinnon () ISIS2000 COM (Bill)
Date: Mon, 14 Feb 2000 15:33:14 -0500


"Sergei A. Golubchik" wrote:


The fix is obvious. But the rule of the thumb is "do not use magic perl open".
At least in cgi scripts. If you want to open regular file, sysopen does
the trick as well.


   Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
from doing anything harmful, as well?

- Bill

Current thread:

perl-cgi hole in UltimateBB by Infopop Corp. Sergei A. Golubchik (Feb 11)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore (Feb 14)
  - Re: perl-cgi hole in UltimateBB by Infopop Corp. Charles Capps (Feb 15)
  - Re: perl-cgi hole in UltimateBB by Infopop Corp. Michael Wood (Feb 15)
  - Remote Vulnerability in the MMDF SMTP Daemon NAI Labs (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill (Feb 14)
  - Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
    - Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill McKinnon (Feb 16)
    - Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 17)
    - AUTORUN.INF Vulnerability Eric Stevens (Feb 17)
    - Re: AUTORUN.INF Vulnerability Jesper M. Johansson (Feb 18)
    - UPDATED: NetBSD Security Advisory 2000-001 Daniel Carosone (Feb 18)
    - Re: AUTORUN.INF Vulnerability Nick FitzGerald (Feb 19)
    - Re: AUTORUN.INF Vulnerability Valentin Pletzer (Feb 20)
    - MMDF Ran Atkinson (Feb 18)
    - Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 18)

(Thread continues...)