[13146] in bugtraq
Re: majordomo local exploit
daemon@ATHENA.MIT.EDU (Jefferson Ogata)
Thu Dec 30 13:07:59 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <386AC27A.A4C31276@nodc.noaa.gov>
Date: Wed, 29 Dec 1999 21:24:58 -0500
Reply-To: jogata@NODC.NOAA.GOV
From: Jefferson Ogata <jogata@NODC.NOAA.GOV>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Henrik Edlund wrote:
[majordomo Perl vulnerability discussion snipped]
> This security problem is as common as Perl scripts. Perl
> programmers should always specify for open what they want to do
> (read/write) and just not be lazy and skip that when they want to
> read. A simple fix like:
>
> open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped");
>
> should fix this problem. As we specify that we are reading by
> using the < (less than) the script will simple choke and say that
> it can't open the filename starting with a | (pipe), instead of
> running the filename. There is no need, I believe, to use the
> sysopen function as someone else suggested earlier.
>
> I believe this security hole has been covered in some other
> advisory concerning all Perl (especially CGI) scripts.
Perl programmers should always use the taint flag (-T), full warnings (-w), and
the strict module, and just not be lazy, period! These should be considered
mandatory in code that will be distributed as part of any automated system,
regardless of setuid execution. With taint enabled, the programmer would have
had to define the allowable range of arguments by untainting them, and this
problem would not exist.
Taint is there. Use it! Reliance on filename semantics for security is not the
Proper Way.
Also, require 5.004_05 or newer. Unfortunately, 5.004_04 has a somewhat obscure
taint bug.
Happy new year!
--
Jefferson Ogata <jogata@nodc.noaa.gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos
