mailing list archives
Re: majordomo local exploit
From: jogata () NODC NOAA GOV (Jefferson Ogata)
Date: Wed, 29 Dec 1999 21:24:58 -0500
Henrik Edlund wrote:
[majordomo Perl vulnerability discussion snipped]
This security problem is as common as Perl scripts. Perl
programmers should always specify for open what they want to do
(read/write) and just not be lazy and skip that when they want to
read. A simple fix like:
open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped");
should fix this problem. As we specify that we are reading by
using the < (less than) the script will simple choke and say that
it can't open the filename starting with a | (pipe), instead of
running the filename. There is no need, I believe, to use the
sysopen function as someone else suggested earlier.
I believe this security hole has been covered in some other
advisory concerning all Perl (especially CGI) scripts.
Perl programmers should always use the taint flag (-T), full warnings (-w), and
the strict module, and just not be lazy, period! These should be considered
mandatory in code that will be distributed as part of any automated system,
regardless of setuid execution. With taint enabled, the programmer would have
had to define the allowable range of arguments by untainting them, and this
problem would not exist.
Taint is there. Use it! Reliance on filename semantics for security is not the
Also, require 5.004_05 or newer. Unfortunately, 5.004_04 has a somewhat obscure
Happy new year!
Jefferson Ogata <jogata () nodc noaa gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos