Re: PERL's -e check

["Juergen P. Meier" <jpm () class de>]

On Sun, Dec 24, 2000 at 07:11:40PM -0500, Joe Testa wrote:
> Hi all --
>
>       I've noticed here and there that some PERL scripts pass user input
> directly into an open() call protected by a "-e" check.  Example:
>
>       # $temp_file is taken from the submitted form
>       if(-e $temp_file) {
>               open(TEMP, "<$temp_file");
>               ...
>       }
>
>       Is there any trick that would bypass the "-e"?  Thanks in advance.

good morning,

Race condition.
Just create some (artificial) heavy load and low memory condition
and chances are good that your OS runs it's task scheduler just
between the if line and the open call, resulting in your attack
script running just after the if check and before the perlscript
opens the file. This is especialy bad if it happens in /tmp ;)
you may now replace $temp_file with anything you wish.

The above code ist just not "atomic" and thus typically vulnerable
to race-condition attacks.

>       - Joe Testa
>
>
> P.S.  Greets to @stake and the cDc.

J.

--
Juergen P. Meier                        email: jpm () class de