Home page logo

bugtraq logo Bugtraq mailing list archives

Re: udirectory from Microburst Technologies remote command execution
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Tue, 19 Jun 2001 15:22:53 +0200 (MET DST)

On Mon, 18 Jun 2001, Deja User wrote:

$value =~ s/(\.\.|\|$)//g;

Try $value = "echo gotcha|..".

Omitting $ in s/(\.\.|\|$)//g would not be perfect either because one
could synthetize ".." from ".|." (OTOH, it would not allow execution of

The point is s/PATTERN//g removes occurences of PATTERN in the original
string but (unless PATTERN is rather special, like a set of single 
characters, e.g. [abc], or a repeated character, e.g. aaa or a*) it can
create new occurences.

The best thing you can do is to refuse to process a "poisoned" value
rather than try to "neutralize" it. Another approach, still quite safe,
is to filter out *all but known-to-be-harmless* characters with tr///.
Anything else is too error-prone, IMHO.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]