Bugtraq mailing list archives
PERL (was: Re: SECURITY HOLE: FormMail)
From: vax () ccwf cc utexas edu (VaX#n8)
Date: Mon, 7 Aug 1995 03:43:58 -0500
While really really bored, Paul Phillips wrote:
It does have a security hole, it has the *exact* same hole that AnyForm did, except that it is exploited via open instead of system. But a shell by any other name... open (MAIL, "|$mailprog $FORM{'recipient'}") || die "Can't open $mailprog!\n";
I've found a number of holes related to passing things to open or system. There are also some which offer things which are not necessarily security holes, but which can offer unexpected results, if the input has "unusual" (read: unexpected by the programmer) characters. Here's some PERL code I wrote to avoid unusual behavior when "mv"-ing a file with wierd filenames... since it isn't passed to the shell for parsing, you avoid a whole host of complication. Sorry, this doesn't fix all the bugs in using user-defined data (in fact, it fixes none of the ones related to UIDs) but I've found it helpful enough to merit mailing. Apologies if this is inappropriate. PERL's open(), btw, needs to be SERIOUSLY redone. For example, what if you open(FOO,">$filename") and $filename happens to be ">bar"? Unexpected, eh? And yet, there appears to be no way to seperate the control data (">" in this example) from the data data (">bar"). Bad programming practice, esp. if you can't restrict the format of the data to be orthogonal from the control. I think PERL relies too much on magic characters (like it's ancestors) to be used casually as script backends. sub safe_mv { local($file,$dir) = @_; -d $dir || &safe_sys('mkdir','-p',$dir) || die; &safe_sys('mv',$file,$dir) || die; } sub safe_sys { local($pid); FORK: { if ($pid = fork) { # parent here # child process pid is available in $pid waitpid($pid,0); } elsif (defined $pid) { # $pid is zero here if defined # child here # parent process pid is available with getppid exec @_; die "Could not exec: $!\n"; } elsif ($! =~ /No more process/) { # EAGAIN, supposedly recoverable fork error sleep 5; redo FORK; } else { # weird fork error die "Can't fork: $!\n"; } } } -- VaX#n8 (vak-sa-nate) - n, CS senior++ and Unix junkie - vax () ccwf cc utexas edu Deal with evil through strength, yet encourage good through trust. - PGP me
Current thread:
- SECURITY HOLE: FormMail Paul Phillips (Aug 02)
- followup: local mail delivery der Mouse (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 03)
- PERL (was: Re: SECURITY HOLE: FormMail) VaX#n8 (Aug 07)
- Re: PERL (was: Re: SECURITY HOLE: FormMail) Philip Guenther (Aug 07)
- Guidelines for cgi-bin scripts Lee Silverman (Aug 08)
- Re: Guidelines for cgi-bin scripts Dave Andersen (Aug 08)
- Re: Guidelines for cgi-bin scripts Christian Wettergren (Aug 09)
- <Possible follow-ups>
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Neil Woods (Aug 05)
- More holes, was: Re: SECURITY HOLE: FormMail Ivo (Aug 05)
- My email handler, ~ escapes, etc. Tom (Aug 05)
- Simple CGI email handler, fixed Tom (Aug 05)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)