Home page logo

bugtraq logo Bugtraq mailing list archives

Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: merlyn () STONEHENGE COM (Randal L. Schwartz)
Date: Thu, 17 Feb 2000 07:41:48 -0800

"Bill" == Bill McKinnon <mckinnon () ISIS2000 COM> writes:

Perl's open will dup other file descriptors if < is followed by &.  This
isn't as potentially problematic as forking commands, but there may be
circumstances where someone could dup a filehandle and cause your script
to behave strangely/output sensitive information/etc.

There are two secure opening mechanisms (3 in perl 5.6 forthcoming).
sysopen() emulates the open(2) interface (without the normal magic),
and the following code handles arbitrary filenames to open:

        $name = "./$name" unless $name =~ m{^/};
        open FILE, "< $name" or die "...";

I believe this has been documented for quite some time.  We can't
help people who don't read the docs.

Bill>    Interesting. And for the curious, this doesn't seem to be noticed by
Bill> Perl's tainting mechanism, unless I'm misunderstanding something:

Bill> $ perl -T - '&PW'
Bill> open(PW, "/etc/passwd") or die "open(): $!\n";

Taint mode never complains about the data being passed to a filename
open for *input*.  The data being read is tainted, however.

Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn () stonehenge com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]