Home page logo

bugtraq logo Bugtraq mailing list archives

Re: perl fingerd stupidity
From: gbacon () CRP-201 ADTRAN COM (Greg Bacon)
Date: Fri, 1 Aug 1997 08:30:03 -0500

If that fingerd were run with taint checks on (i.e. #! perl -T), then
it wouldn't be such a huge hole.  A better way to have done it would
be something like:

    #! /usr/bin/perl -T

    require 5;  # if you don't have it, upgrade already! :-)

    $ENV{PATH} = join ":", qw( /bin /usr/bin );

    $user = <STDIN>;
    chomp $user;

    if (-e "/usr/lib/finger/$user") {
        system "perl", "/usr/lib/finger/$user";
    else {
        system "perl", "/usr/lib/finger/default", $user;

Note that passing a list to system (or exec) bypasses the shell, so
even if $user eq 'foo; rm -rf /', there is no danger as far as this
script is concerned (it all depends on what those scripts in /usr/lib
are doing with their arguments).

(If you're still wondering about taint checks, -T is just an instruction
to perl telling it that it shouldn't let data from the outside world come
in and be a part of operations that affect the outside world without first
being subject to a thorough looking over.)

open(G,"|gzip -dc");$_=<<EOF;s/[0-9a-f]+/print G pack("h*",$&)/eg

  By Date           By Thread  

Current thread:
  • Re: perl fingerd stupidity Greg Bacon (Aug 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]