[13870] in bugtraq
Re: perl-cgi hole in UltimateBB by Infopop Corp.
daemon@ATHENA.MIT.EDU (Bill McKinnon)
Thu Feb 17 02:03:24 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10002160903490.11914-100000@cartman.isis2000.com>
Date: Wed, 16 Feb 2000 09:06:47 -0700
Reply-To: Bill McKinnon <mckinnon@ISIS2000.COM>
From: Bill McKinnon <mckinnon@ISIS2000.COM>
X-To: Andrew Danforth <acd@weirdness.net>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0002151851280.30648-100000@magnet.weirdness.net>
On Tue, 15 Feb 2000, Andrew Danforth wrote:
> On Mon, 14 Feb 2000, Bill wrote:
>
> > Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
> > from doing anything harmful, as well?
>
> Not really. Consider the following snippet:
>
> open PASSWD, '< /etc/passwd';
> $var = '&PASSWD'; # also try $var = '&3';
> open IN, "< $var";
> print while (<IN>);
>
> Perl's open will dup other file descriptors if < is followed by &. This
> isn't as potentially problematic as forking commands, but there may be
> circumstances where someone could dup a filehandle and cause your script
> to behave strangely/output sensitive information/etc.
>
> Andrew
Interesting. And for the curious, this doesn't seem to be noticed by
Perl's tainting mechanism, unless I'm misunderstanding something:
$ perl -T - '&PW'
open(PW, "/etc/passwd") or die "open(): $!\n";
$var = shift;
open(FH, "< $var") or die "open(): $!\n";
print <FH>;
(hit CTRL D here)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
...
etc
Anyway, this is probably getting off topic...
- Bill
