Vulnerability Development mailing list archives
Re: PERL's -e check
From: "Juergen P. Meier" <jpm () class de>
Date: Tue, 26 Dec 2000 11:05:44 +0100
On Sun, Dec 24, 2000 at 07:11:40PM -0500, Joe Testa wrote:
Hi all -- I've noticed here and there that some PERL scripts pass user input directly into an open() call protected by a "-e" check. Example: # $temp_file is taken from the submitted form if(-e $temp_file) { open(TEMP, "<$temp_file"); ... } Is there any trick that would bypass the "-e"? Thanks in advance.
good morning, Race condition. Just create some (artificial) heavy load and low memory condition and chances are good that your OS runs it's task scheduler just between the if line and the open call, resulting in your attack script running just after the if check and before the perlscript opens the file. This is especialy bad if it happens in /tmp ;) you may now replace $temp_file with anything you wish. The above code ist just not "atomic" and thus typically vulnerable to race-condition attacks.
- Joe Testa P.S. Greets to @stake and the cDc.
J. -- Juergen P. Meier email: jpm () class de
Current thread:
- PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Adam Prato (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 26)
- Re: PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 28)
- Re: PERL's -e check Juergen P. Meier (Dec 26)
- Re: PERL's -e check Pavel Kankovsky (Dec 27)