Re: Vulnerability in Glimpse HTTP

[m.pool () PHAROS COM AU (Martin Pool)]

-----BEGIN PGP SIGNED MESSAGE-----

> Date:         Wed, 9 Jul 1997 13:00:07 -0600
> From: Oliver Friedrichs <oliverf () SILENCE SECNET COM>

> > They are...
> >
> >   ^ (acts as pipe under some shells)
> >  \n (acts as shell delimeter)
> >   \ (in the esc_chars version of the function, this allows \; to
> >      be escaped as \\;, then unescaped by shell into \; again.)
> >
> > This should be somewhat distrubing as a rather fearful number of
> > people have read that document and only a very few have actually
> > noticed these oversights.  I certainly hope the majority of programmers
>
> This is true, however in the context of this particular bug (Glimpse) this
> isn't the case.  The reason for this being that open() in perl does not
> honour these escape characters.

I think perl just passes the string to the shell program (set at
compile time?) which is usually /bin/sh.  So, most shells will
interpret a linefeed or semicolon as a command separator, and some may
take ^ as a pipe.

For example,

  $ perl -e 'open FOO, "echo \$RANDOM\ndate\;id|"; print <FOO>;'
  18773
  Fri Jul 11 09:52:20 EST 1997
  uid=500(mbp) gid=500(mbp) groups=...

- --
Martin Pool <m.pool () pharos com au>
Pharos Business Solutions

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.pharos.com.au/mbp/public_key.txt

iQB1AwUBM8V19Tr8By6pblTZAQEO1wL6A7LujtV5a0O6R1DiCQoGRkbjK0qUVNTY
5A8xZc4aZhHGBTpKIQp8k3mZB0TLoN4T8oqYoCq2AEcRUIo2N6DpZ330mRvujxtO
bell4Nae2XU4RIHOjCSIKrRA2j1duLe1
=Y0vB
-----END PGP SIGNATURE-----