Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: perl fingerd stupidity
From: gbacon () CRP-201 ADTRAN COM (Greg Bacon)
Date: Fri, 1 Aug 1997 08:30:03 -0500


If that fingerd were run with taint checks on (i.e. #! perl -T), then
it wouldn't be such a huge hole.  A better way to have done it would
be something like:

    #! /usr/bin/perl -T

    require 5;  # if you don't have it, upgrade already! :-)

    $ENV{PATH} = join ":", qw( /bin /usr/bin );

    $user = <STDIN>;
    chomp $user;

    if (-e "/usr/lib/finger/$user") {
        system "perl", "/usr/lib/finger/$user";
    }
    else {
        system "perl", "/usr/lib/finger/default", $user;
    }

Note that passing a list to system (or exec) bypasses the shell, so
even if $user eq 'foo; rm -rf /', there is no danger as far as this
script is concerned (it all depends on what those scripts in /usr/lib
are doing with their arguments).

(If you're still wondering about taint checks, -T is just an instruction
to perl telling it that it shouldn't let data from the outside world come
in and be a part of operations that affect the outside world without first
being subject to a thorough looking over.)

Greg
--
open(G,"|gzip -dc");$_=<<EOF;s/[0-9a-f]+/print G pack("h*",$&)/eg
f1b88000b620f22320303fa2d2e21584ccbcf29c84d2258084
d2ac158c84c4ece4d22d1000118a8d5491000000
EOF



  By Date           By Thread  

Current thread:
  • Re: perl fingerd stupidity Greg Bacon (Aug 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]