Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Several new CGI vulnerabilities

From: lstein () cshl org (Lincoln Stein)
Date: Thu, 12 Nov 1998 12:34:48 -0500

I apologize to the readers of the list.  I was being inexcusably
sloppy by not checking the result codes.  I was just trying to
illustrate the Perl feature of passing exec a list rather than a
string, and I allowed the temptation of being cute and idiomatic to
interfere with good code writing practices.

The result of the open() call should be checked as well as the
exec().  If either fails, the program should immediately exit.

Lincoln

Olaf Titz writes:

   open (MAIL,"|-") || exec '/usr/lib/sendmail','-t','-oi';


This gets "interesting" when fork fails. You then have the sendmail
process connected directly to the client. Perhaps it is even possible
to exploit this by simply overloading the server.

Check for the success of the fork like this:

$pid=open(MAIL, "|-");
defined ($pid) || die "fork: $!";
if (!$pid) { exec '/usr/lib/sendmail', '-t', '-oi' || exit 255; }

or even:

do { $pid=open(MAIL, "|-"); last if defined($pid); sleep 10; } while (1);
if (!$pid) { exec '/usr/lib/sendmail', '-t', '-oi' || exit 255; }

Olaf

--
========================================================================
Lincoln D. Stein                           Cold Spring Harbor Laboratory
lstein () cshl org                                   Cold Spring Harbor, NY
========================================================================
Previous By Date Next
Previous By Thread Next

Current thread: