|
Vulnerability Development
mailing list archives
Re: PERL's -e check
From: Adam Prato <sirsyko () MERGIOO ISHIBOO COM>
Date: Mon, 25 Dec 2000 23:29:53 -0800
On Sun, Dec 24, 2000 at 07:11:40PM -0500, Joe Testa wrote:
Hi all --
I've noticed here and there that some PERL scripts pass user input
directly into an open() call protected by a "-e" check. Example:
# $temp_file is taken from the submitted form
if(-e $temp_file) {
open(TEMP, "<$temp_file");
...
}
Is there any trick that would bypass the "-e"? Thanks in advance.
- Joe Testa
P.S. Greets to @stake and the cDc.
all this does is open a filehandle (TEMP) based on the filename stored in
$temp_file if it exists (checked by the -e test operator)...
The standard ways to "defeat" this is symlink the file stored in $tempfile to
a different file on the system. Thus if the script runs with elevate
privileges, you could access data accessible by the elevated privileges.
Beyond this, I'm at a loss for what you are trying to accomplish. What do you
mean that "PERL scripts pass user input direclty into an open call 'protected
by a -e check'? This doesnt make much sense.
Are you saying that some perl scripts (assuming you mean a cgi) takes user
input and writes the user input to a filehandle? The "-e" does nothing to
'protect' this. And the only trick to "bypass" the -e test operator is to
first create the file its looking for somehow (since -e checks to see if a file
exists).
<ss>
 By Date 
By Thread
Current thread:
| 
Intro
