oss-sec mailing list archives

Re: CVE Request -- Data-FormValidator -- Reports invalid field as valid when untaint_all_constraints used

From: Josh Bressers <bressers () redhat com>
Date: Mon, 13 Jun 2011 15:28:11 -0400 (EDT)



----- Original Message -----

Hello, Josh, Steve, vendors,

It was found that perl-Data-FormValidator, a HTML form user input
validator, used to treat certain invalid fields as valid, when the
untaint_all_constraints directive was used (default for majority of
Data-FormValidator routines). A remote attacker could use this flaw to
bypass perl Taint mode protection mechanism via specially-crafted
input
provided to the HTML form.

Note: Hopefully Damyan, Mark can clarify here, if valid data from
Data-FormValidator are automatically marked as untainted for
perl Taint mode or not. If there still is perl Taint mode
protection check present, even on valid Data-FormValidator
data and it couldn't happen, that tainted data would be passed
further to the script processing, then this is not a security
issue.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629511
[2] https://rt.cpan.org/Public/Bug/Display.html?id=61792
[3] https://bugzilla.redhat.com/show_bug.cgi?id=712694


Upstream seem to believe this is a security flaw.

Please use CVE-2011-2201.

Thanks.

-- 
    JB

Current thread:

CVE Request -- Data-FormValidator -- Reports invalid field as valid when untaint_all_constraints used Jan Lieskovsky (Jun 12)
- Bug#629511: Info received (CVE Request -- Data-FormValidator -- Reports invalid field as valid when untaint_all_constraints used) Debian Bug Tracking System (Jun 12)
- Re: CVE Request -- Data-FormValidator -- Reports invalid field as valid when untaint_all_constraints used Mark Stosberg (Jun 13)
- Re: CVE Request -- Data-FormValidator -- Reports invalid field as valid when untaint_all_constraints used Josh Bressers (Jun 13)