Home page logo

bugtraq logo Bugtraq mailing list archives

Re: majordomo local exploit
From: henrik () EDLUND ORG (Henrik Edlund)
Date: Wed, 29 Dec 1999 16:20:38 +0100

- -snip-

# If the first argument is "@filename", read the real arguments
# from "filename", and shove them onto the ARGV for later processing
# by &Getopts()
if ($ARGV[0] =~ /^\@/) {
    $fn = shift(@ARGV);
    $fn =~ s/^@//;
    open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");

- -snip-

This security problem is as common as Perl scripts. Perl
programmers should always specify for open what they want to do
(read/write) and just not be lazy and skip that when they want to
read. A simple fix like:

open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped");

should fix this problem. As we specify that we are reading by
using the < (less than) the script will simple choke and say that
it can't open the filename starting with a | (pipe), instead of
running the filename. There is no need, I believe, to use the
sysopen function as someone else suggested earlier.

I believe this security hole has been covered in some other
advisory concerning all Perl (especially CGI) scripts.

Henrik Edlund

  "They were in the wrong place at the wrong time.
Naturally they became heroes."
                  Leia Organa of Alderaan, Senator

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]