Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: majordomo local exploit
From: henrik () EDLUND ORG (Henrik Edlund)
Date: Wed, 29 Dec 1999 16:20:38 +0100


- -snip-

# If the first argument is "@filename", read the real arguments
# from "filename", and shove them onto the ARGV for later processing
# by &Getopts()
#
if ($ARGV[0] =~ /^\@/) {
    $fn = shift(@ARGV);
    $fn =~ s/^@//;
    open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");

- -snip-

This security problem is as common as Perl scripts. Perl
programmers should always specify for open what they want to do
(read/write) and just not be lazy and skip that when they want to
read. A simple fix like:

open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped");

should fix this problem. As we specify that we are reading by
using the < (less than) the script will simple choke and say that
it can't open the filename starting with a | (pipe), instead of
running the filename. There is no need, I believe, to use the
sysopen function as someone else suggested earlier.

I believe this security hole has been covered in some other
advisory concerning all Perl (especially CGI) scripts.

--
Henrik Edlund
http://www.edlund.org/

  "They were in the wrong place at the wrong time.
Naturally they became heroes."
                  Leia Organa of Alderaan, Senator



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault