[13835] in bugtraq
Re: perl-cgi hole in UltimateBB by Infopop Corp.
daemon@ATHENA.MIT.EDU (Bill)
Tue Feb 15 14:09:07 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38A8668A.B0EF40CB@isis2000.com>
Date: Mon, 14 Feb 2000 15:33:14 -0500
Reply-To: Bill <mckinnon@ISIS2000.COM>
From: Bill <mckinnon@ISIS2000.COM>
X-To: "Sergei A. Golubchik" <serg@INFOMAG.APE.RELARN.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
"Sergei A. Golubchik" wrote:
>
> The fix is obvious. But the rule of the thumb is "do not use magic perl open".
> At least in cgi scripts. If you want to open regular file, sysopen does
> the trick as well.
Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
from doing anything harmful, as well?
- Bill
