Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: perl-cgi hole in UltimateBB by Infopop Corp.

From: bsides () TOWERY COM (Brock Sides)
Date: Thu, 17 Feb 2000 10:33:07 -0600

On Wed, 16 Feb 2000, Bill McKinnon wrote:


Not really.  Consider the following snippet:

open PASSWD, '< /etc/passwd';
$var = '&PASSWD'; # also try $var = '&3';
open IN, "< $var";
print while (<IN>);

Perl's open will dup other file descriptors if < is followed by &.  This
isn't as potentially problematic as forking commands, but there may be
circumstances where someone could dup a filehandle and cause your script
to behave strangely/output sensitive information/etc.



   Interesting. And for the curious, this doesn't seem to be noticed by
Perl's tainting mechanism, unless I'm misunderstanding something:

$ perl -T - '&PW'
open(PW, "/etc/passwd") or die "open(): $!\n";

$var = shift;

open(FH, "< $var") or die "open(): $!\n";

print <FH>;

(hit CTRL D here)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
...
etc


Perl's tainting mechanism only comes into play if you are invoking a
external command in some way: via system, exec, backticks, or opening a
filehandle to or from a pipe. For example,

#!/usr/bin/perl -w -T
open(PW, "<$ARGV[0]") or die $!;
print <PW>;
__END__

will run without complaint, as long as the filename you pass it in
$ARGV[0] is readable.

However,

#!/usr/bin/perl -w -T
$ENV{PATH}=''; # we need a safe path
$ENV{BASH_ENV}=''; # and a safe bash env
open(PW, "/bin/cat $ARGV[0] |") or die $!;
print <PW>;
__END__

which does the same thing, will die with a "Insecure dependency in piped
open while running with -T switch" error.

--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides () towery com
Previous By Date Next
Previous By Thread Next

Current thread: