Re: perl-cgi hole in UltimateBB by Infopop Corp.

From: Bill (mckinnonat_private)
Date: Mon Feb 14 2000 - 12:33:14 PST

Next message: Jeff Moss: "Black Hat Briefings USA Call for Papers and Singapore conference"

Previous message: John Payne: "Re: DDOS Attack Mitigation"
Maybe in reply to: Sergei A. Golubchik: "perl-cgi hole in UltimateBB by Infopop Corp."
Next in thread: Kevin Hillabolt: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Sergei A. Golubchik" wrote:
>
> The fix is obvious. But the rule of the thumb is "do not use magic perl open".
> At least in cgi scripts. If you want to open regular file, sysopen does
> the trick as well.

   Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
from doing anything harmful, as well?

- Bill

Next message: Jeff Moss: "Black Hat Briefings USA Call for Papers and Singapore conference"
Previous message: John Payne: "Re: DDOS Attack Mitigation"
Maybe in reply to: Sergei A. Golubchik: "perl-cgi hole in UltimateBB by Infopop Corp."
Next in thread: Kevin Hillabolt: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:50 PDT