mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: acd () WEIRDNESS NET (Andrew Danforth)
Date: Tue, 15 Feb 2000 19:03:35 -0500
On Mon, 14 Feb 2000, Bill wrote:
"Sergei A. Golubchik" wrote:
The fix is obvious. But the rule of the thumb is "do not use magic perl
open". At least in cgi scripts. If you want to open regular file,
sysopen does the trick as well.
Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
from doing anything harmful, as well?
Not really. Consider the following snippet:
open PASSWD, '< /etc/passwd';
$var = '&PASSWD'; # also try $var = '&3';
open IN, "< $var";
print while (<IN>);
Perl's open will dup other file descriptors if < is followed by &. This
isn't as potentially problematic as forking commands, but there may be
circumstances where someone could dup a filehandle and cause your script
to behave strangely/output sensitive information/etc.