Bugtraq mailing list archives
Re: Several new CGI vulnerabilities
From: lstein () cshl org (Lincoln Stein)
Date: Thu, 12 Nov 1998 12:34:48 -0500
I apologize to the readers of the list. I was being inexcusably sloppy by not checking the result codes. I was just trying to illustrate the Perl feature of passing exec a list rather than a string, and I allowed the temptation of being cute and idiomatic to interfere with good code writing practices. The result of the open() call should be checked as well as the exec(). If either fails, the program should immediately exit. Lincoln Olaf Titz writes:
open (MAIL,"|-") || exec '/usr/lib/sendmail','-t','-oi';This gets "interesting" when fork fails. You then have the sendmail process connected directly to the client. Perhaps it is even possible to exploit this by simply overloading the server. Check for the success of the fork like this: $pid=open(MAIL, "|-"); defined ($pid) || die "fork: $!"; if (!$pid) { exec '/usr/lib/sendmail', '-t', '-oi' || exit 255; } or even: do { $pid=open(MAIL, "|-"); last if defined($pid); sleep 10; } while (1); if (!$pid) { exec '/usr/lib/sendmail', '-t', '-oi' || exit 255; } Olaf
-- ======================================================================== Lincoln D. Stein Cold Spring Harbor Laboratory lstein () cshl org Cold Spring Harbor, NY ========================================================================
Current thread:
- Several new CGI vulnerabilities xnec (Nov 09)
- Vulnerabilities with Swish Job de Haas (Nov 09)
- Re: Several new CGI vulnerabilities Karl Hanmore (Nov 10)
- Re: Several new CGI vulnerabilities Gus (Nov 10)
- Buffer overflow in Xprt Paolo Molaro (Nov 09)
- Re: Several new CGI vulnerabilities Lincoln Stein (Nov 10)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Andi Kleen (Nov 10)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) David S. Miller (Nov 11)
- Vulnerabilities with Swish Jochen Thomas Bauer (Nov 10)
- <Possible follow-ups>
- Re: Several new CGI vulnerabilities Lincoln Stein (Nov 12)