Re: perl-cgi hole in UltimateBB by Infopop Corp.

[merlyn () STONEHENGE COM (Randal L. Schwartz)]

> > > > > "Bill" == Bill McKinnon <mckinnon () ISIS2000 COM> writes:

> > Perl's open will dup other file descriptors if < is followed by &.  This
> > isn't as potentially problematic as forking commands, but there may be
> > circumstances where someone could dup a filehandle and cause your script
> > to behave strangely/output sensitive information/etc.

There are two secure opening mechanisms (3 in perl 5.6 forthcoming).
sysopen() emulates the open(2) interface (without the normal magic),
and the following code handles arbitrary filenames to open:

        $name = "./$name" unless $name =~ m{^/};
        open FILE, "< $name" or die "...";

I believe this has been documented for quite some time.  We can't
help people who don't read the docs.

Bill>    Interesting. And for the curious, this doesn't seem to be noticed by
Bill> Perl's tainting mechanism, unless I'm misunderstanding something:

Bill> $ perl -T - '&PW'
Bill> open(PW, "/etc/passwd") or die "open(): $!\n";

Taint mode never complains about the data being passed to a filename
open for *input*.  The data being read is tainted, however.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn () stonehenge com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!