Re: Can System() of Perl be bypassed?

From: Luciano Miguel Ferreira Rocha (strangeat_private-ip.org)
Date: Thu Jan 23 2003 - 16:27:49 PST

Next message: Jason Coombs: "RE: PGP scripting..."

Previous message: Gustaf Bjorksten: "RE: Standards for developing secure software"
In reply to: Brian Hatch: "Re: Can System() of Perl be bypassed?"
Next in thread: Glynn Clements: "Re: Can System() of Perl be bypassed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 23, 2003 at 02:15:43PM -0800, Brian Hatch wrote:
> > my @args = ($Keywords,....);
> > my @cmd = ("$JAVA",
> > 	     "-search.home=$SEARCH_HOME",
> > 	     "Searcher",
> > 	     @args);
> > system(@cmd) == 0) ||error();
> > 
> > Need I be more paranoid than this and use my own regex to filter out 
> > keywords my self?
 
> However I have no idea if those values could be used to
> break the program itself ($JAVA).  If this program were
> running with greater privs (suid, CGI, etc) then they can
> supply a new $SEARCH_HOME path then they could cause their
> own code to run.  If there are bad keywords then you aren't
> doing anything to get rid of them.  (Or, preferably, only
> allowing good keywords.)

Java (at least Sun's sdk) ignores any options after a class or jar file,
and passes them to the application instead.

Regards,
Luciano Rocha

-- 
Consciousness: that annoying time between naps.

Next message: Jason Coombs: "RE: PGP scripting..."
Previous message: Gustaf Bjorksten: "RE: Standards for developing secure software"
In reply to: Brian Hatch: "Re: Can System() of Perl be bypassed?"
Next in thread: Glynn Clements: "Re: Can System() of Perl be bypassed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 16:37:56 PST