[4327] in WWW Security List Archive
Re: Perl System Call HACKS
daemon@ATHENA.MIT.EDU (Steff Watkins)
Mon Feb 10 15:52:44 1997
Date: Mon, 10 Feb 1997 18:13:02 +0000 (GMT)
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
cc: jeff.middleton@waii.com
In-Reply-To: <9702100746.ZM23110@sgiserv3.aws.waii.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 10 Feb 1997, Jeff Middleton wrote:
> Is there a FAQ or information giving some examples as to the way
> a perl script that executes sendmail via a PERL system call can
> be hacked?
>
> What strings are going to be malicious to the sendmail execution?
> Is there a work-around?
>
> You may eMail me directly at jeff.middleton@waii.com.
Hello Jeff,
I basically work on the principle that if it's a sendmail No-No, then it
should be trapped for any sendmail calling mechanism.
The basic things I look for are:
- Target address.. I have NO sendmail calling scripts that allow the
remote user to set the To: address. A bit restrcitive, but it works in my
environment and prevents abuse of sendmail.
- Subject.. Generally, do not allow the remote user to set the subject..
Restrictive, but as above..
- Trap any 'shell outs'. I think some versions of senmail have it that if
the first character of a line is a cloe ':', then the rest of the line is
treated as a shell command.. Trap and substitute for those..
As all the sendmail scripts I use are form returns, it is possible to set
the To: and Subject fields in the calling script explicitly. The other
trick, trapping the ':', is easy. It's just a
s/^://
on every line.
Hope that helps a little,
Steff
: Steff Watkins, General Computer-type being
: University of Bristol, Clifton, Bristol, BS8 1TH, UK
:
: RFC-822 : Steff.Watkins@bris.ac.uk
: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
: Phone: +44 177 9287869 (external) 3046 / 7869 (internal)
