[13136] in bugtraq
Re: majordomo local exploit
daemon@ATHENA.MIT.EDU (Henrik Edlund)
Wed Dec 29 21:02:32 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.20.9912291615411.6601-100000@corellia.edlund.org>
Date: Wed, 29 Dec 1999 16:20:38 +0100
Reply-To: Henrik Edlund <henrik@EDLUND.ORG>
From: Henrik Edlund <henrik@EDLUND.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199912291455.HAA06968@xerxes.courtesan.com>
> - -snip-
>
> # If the first argument is "@filename", read the real arguments
> # from "filename", and shove them onto the ARGV for later processing
> # by &Getopts()
> #
> if ($ARGV[0] =~ /^\@/) {
> $fn = shift(@ARGV);
> $fn =~ s/^@//;
> open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");
>
> - -snip-
This security problem is as common as Perl scripts. Perl
programmers should always specify for open what they want to do
(read/write) and just not be lazy and skip that when they want to
read. A simple fix like:
open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped");
should fix this problem. As we specify that we are reading by
using the < (less than) the script will simple choke and say that
it can't open the filename starting with a | (pipe), instead of
running the filename. There is no need, I believe, to use the
sysopen function as someone else suggested earlier.
I believe this security hole has been covered in some other
advisory concerning all Perl (especially CGI) scripts.
--
Henrik Edlund
http://www.edlund.org/
"They were in the wrong place at the wrong time.
Naturally they became heroes."
Leia Organa of Alderaan, Senator
