Bugtraq mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: acd () WEIRDNESS NET (Andrew Danforth)
Date: Tue, 15 Feb 2000 19:03:35 -0500
On Mon, 14 Feb 2000, Bill wrote:
"Sergei A. Golubchik" wrote:The fix is obvious. But the rule of the thumb is "do not use magic perl open". At least in cgi scripts. If you want to open regular file, sysopen does the trick as well.Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc from doing anything harmful, as well?
Not really. Consider the following snippet: open PASSWD, '< /etc/passwd'; $var = '&PASSWD'; # also try $var = '&3'; open IN, "< $var"; print while (<IN>); Perl's open will dup other file descriptors if < is followed by &. This isn't as potentially problematic as forking commands, but there may be circumstances where someone could dup a filehandle and cause your script to behave strangely/output sensitive information/etc. Andrew
Current thread:
- perl-cgi hole in UltimateBB by Infopop Corp. Sergei A. Golubchik (Feb 11)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore (Feb 14)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Charles Capps (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Michael Wood (Feb 15)
- Remote Vulnerability in the MMDF SMTP Daemon NAI Labs (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill (Feb 14)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill McKinnon (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 17)
- AUTORUN.INF Vulnerability Eric Stevens (Feb 17)
- Re: AUTORUN.INF Vulnerability Jesper M. Johansson (Feb 18)
- UPDATED: NetBSD Security Advisory 2000-001 Daniel Carosone (Feb 18)
- Re: AUTORUN.INF Vulnerability Nick FitzGerald (Feb 19)
- Re: AUTORUN.INF Vulnerability Valentin Pletzer (Feb 20)
- MMDF Ran Atkinson (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bennett Todd (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore (Feb 14)
