Re: perl-cgi hole in UltimateBB by Infopop Corp.

[dennis () FUNKPLANET COM (Dennis Taylor)]

On Thu, Feb 17, 2000 at 10:33:07AM -0600, Brock Sides wrote:

> Perl's tainting mechanism only comes into play if you are invoking a
> external command in some way: via system, exec, backticks, or
> opening a filehandle to or from a pipe. For example,

        Not quite true. Tainting will block any of the following
operations, as near as I can tell from a cursory perusal of the
source:

   - require()ing or use()ing a Perl library
   - unlinking a file
   - using the "glob" operator for expanding shell wildcards
   - opening a file for writing
   - in-place editing with the -i option
   - changing the "user" component of your umask
   - truncating a file via the truncate() function
   - calling the ioctl() or fcntl() functions
   - creating, binding, or connecting a new socket or socketpair
   - changing directories
   - calling chroot()
   - renaming/moving a file
   - linking a file (either link() or symlink())
   - creating a new directory
   - removing a directory
   - executing an external command with a pipe (backticks, open"|", etc.)
   - executing an external command with a fork and exec (system())
   - executing an external command with exec()
   - setpgrp() and setpriority()
   - manually making a syscall with syscall()

        ...and probably a few others I've overlooked. Using -T in your
CGI script may not automagically make your program "secure", but it's
definitely a big step in the right direction.

_________________________________________________________________________
Dennis Taylor           "Anyone whose days are all the same and free from
dennis () funkplanet com    want inhabits eternity of a sort."  - Peter Hoeg
_________________________________________________________________________
   PGP Fingerprint: E8D6 9670 4FBD EEC3 6C6B  810B 2B30 E529 51BD 7B90