[13874] in bugtraq
Re: perl-cgi hole in UltimateBB by Infopop Corp.
daemon@ATHENA.MIT.EDU (Andrew Danforth)
Thu Feb 17 03:47:50 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0002151851280.30648-100000@magnet.weirdness.net>
Date: Tue, 15 Feb 2000 19:03:35 -0500
Reply-To: Andrew Danforth <acd@WEIRDNESS.NET>
From: Andrew Danforth <acd@WEIRDNESS.NET>
X-To: Bill <mckinnon@ISIS2000.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38A8668A.B0EF40CB@isis2000.com>
On Mon, 14 Feb 2000, Bill wrote:
> "Sergei A. Golubchik" wrote:
> > The fix is obvious. But the rule of the thumb is "do not use magic perl
> > open". At least in cgi scripts. If you want to open regular file,
> > sysopen does the trick as well.
>
> Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
> from doing anything harmful, as well?
Not really. Consider the following snippet:
open PASSWD, '< /etc/passwd';
$var = '&PASSWD'; # also try $var = '&3';
open IN, "< $var";
print while (<IN>);
Perl's open will dup other file descriptors if < is followed by &. This
isn't as potentially problematic as forking commands, but there may be
circumstances where someone could dup a filehandle and cause your script
to behave strangely/output sensitive information/etc.
Andrew
