Re: perl-cgi hole in UltimateBB by Infopop Corp.

From: Andrew Danforth (acdat_private)
Date: Tue Feb 15 2000 - 16:03:35 PST

Next message: Jordan Ritter: "Re: perl-cgi hole in UltimateBB by Infopop Corp."

Previous message: Gus Huber: "Re: snmp problems still alive..."
Maybe in reply to: Sergei A. Golubchik: "perl-cgi hole in UltimateBB by Infopop Corp."
Next in thread: Jordan Ritter: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 14 Feb 2000, Bill wrote:

> "Sergei A. Golubchik" wrote:
> > The fix is obvious. But the rule of the thumb is "do not use magic perl
> > open".  At least in cgi scripts. If you want to open regular file,
> > sysopen does the trick as well.
>
>    Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
> from doing anything harmful, as well?

Not really.  Consider the following snippet:

open PASSWD, '< /etc/passwd';
$var = '&PASSWD'; # also try $var = '&3';
open IN, "< $var";
print while (<IN>);

Perl's open will dup other file descriptors if < is followed by &.  This
isn't as potentially problematic as forking commands, but there may be
circumstances where someone could dup a filehandle and cause your script
to behave strangely/output sensitive information/etc.

Andrew

Next message: Jordan Ritter: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Previous message: Gus Huber: "Re: snmp problems still alive..."
Maybe in reply to: Sergei A. Golubchik: "perl-cgi hole in UltimateBB by Infopop Corp."
Next in thread: Jordan Ritter: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:16 PDT