Bugtraq mailing list archives

PERL (was: Re: SECURITY HOLE: FormMail)

From: vax () ccwf cc utexas edu (VaX#n8)
Date: Mon, 7 Aug 1995 03:43:58 -0500


While really really bored, Paul Phillips wrote:

It does have a security hole, it has the *exact* same hole that
AnyForm did, except that it is exploited via open instead of system.
But a shell by any other name...
open (MAIL, "|$mailprog $FORM{'recipient'}") || die "Can't open $mailprog!\n";


I've found a number of holes related to passing things to open or system.
There are also some which offer things which are not necessarily security
holes, but which can offer unexpected results, if the input has "unusual"
(read: unexpected by the programmer) characters.

Here's some PERL code I wrote to avoid unusual behavior when "mv"-ing a
file with wierd filenames... since it isn't passed to the shell for
parsing, you avoid a whole host of complication.
Sorry, this doesn't fix all the bugs in using user-defined data (in fact,
it fixes none of the ones related to UIDs) but I've found it helpful enough
to merit mailing.  Apologies if this is inappropriate.

PERL's open(), btw, needs to be SERIOUSLY redone.
For example, what if you open(FOO,">$filename") and $filename happens to
be ">bar"?  Unexpected, eh?  And yet, there appears to be no way to seperate
the control data (">" in this example) from the data data (">bar").
Bad programming practice, esp. if you can't restrict the format of the data
to be orthogonal from the control.
I think PERL relies too much on magic characters (like it's ancestors) to be
used casually as script backends.

sub safe_mv
{   local($file,$dir) = @_;
    -d $dir || &safe_sys('mkdir','-p',$dir) || die;
    &safe_sys('mv',$file,$dir) || die;
}

sub safe_sys
{   local($pid);
FORK: {
        if ($pid = fork) {
                # parent here
                # child process pid is available in $pid
        waitpid($pid,0);
        } elsif (defined $pid) { # $pid is zero here if defined
                # child here
                # parent process pid is available with getppid
        exec @_;
        die "Could not exec: $!\n";
        } elsif ($! =~ /No more process/) {
                # EAGAIN, supposedly recoverable fork error
                sleep 5;
                redo FORK;
        } else {
                # weird fork error
                die "Can't fork: $!\n";
        }
}
}
--
VaX#n8 (vak-sa-nate) - n, CS senior++ and Unix junkie - vax () ccwf cc utexas edu
Deal with evil through strength, yet encourage good through trust.    - PGP me

Current thread:

SECURITY HOLE: FormMail Paul Phillips (Aug 02)
- followup: local mail delivery der Mouse (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 03)
- PERL (was: Re: SECURITY HOLE: FormMail) VaX#n8 (Aug 07)
  - Re: PERL (was: Re: SECURITY HOLE: FormMail) Philip Guenther (Aug 07)
  - Guidelines for cgi-bin scripts Lee Silverman (Aug 08)
    - Re: Guidelines for cgi-bin scripts Dave Andersen (Aug 08)
    - Re: Guidelines for cgi-bin scripts Christian Wettergren (Aug 09)
- <Possible follow-ups>
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 03)
  - Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
    - Re: SECURITY HOLE: FormMail Neil Woods (Aug 05)
    - More holes, was: Re: SECURITY HOLE: FormMail Ivo (Aug 05)
    - My email handler, ~ escapes, etc. Tom (Aug 05)
    - Simple CGI email handler, fixed Tom (Aug 05)

(Thread continues...)