Full Disclosure mailing list archives
Re: Re: Format String Vulnerabilities in Perl Programs
From: Stan Bubrouski <stan.bubrouski () gmail com>
Date: Sun, 4 Dec 2005 01:44:29 -0500
On 12/3/05, Michael J. Pomraning <mjp () securepipe com> wrote: <SNIP>
For Perl projects, I'd also nominate syslog(), from the standard Sys::Syslog
module, for special attention. It's common in *NIX environments regardless
of programmers' backgrounds and is extremely likely to be called with
untrusted data interpolated directly in the format string argument --
syslog("info", "A user said $user_input"), for example.
This has been mentioned numerous times, including this week (?), nothing new. -sb
Regards, Mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Format String Vulnerabilities in Perl Programs Steven M. Christey (Dec 02)
- Re: Format String Vulnerabilities in Perl Programs Michael J. Pomraning (Dec 03)
- Re: Re: Format String Vulnerabilities in Perl Programs Stan Bubrouski (Dec 03)
- Re: Re: Format String Vulnerabilities in Perl Programs Steven M. Christey (Dec 04)
- Re: Re: Format String Vulnerabilities in Perl Programs Stan Bubrouski (Dec 03)
- Re: Format String Vulnerabilities in Perl Programs Chris Umphress (Dec 03)
- Re: Format String Vulnerabilities in Perl Programs Steven M. Christey (Dec 04)
- Re: Format String Vulnerabilities in Perl Programs Michael J. Pomraning (Dec 03)