[13907] in bugtraq
Re: perl-cgi hole in UltimateBB by Infopop Corp.
daemon@ATHENA.MIT.EDU (Randal L. Schwartz)
Fri Feb 18 01:30:03 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <m1aekzlttv.fsf@halfdome.holdit.com>
Date: Thu, 17 Feb 2000 07:41:48 -0800
Reply-To: "Randal L. Schwartz" <merlyn@STONEHENGE.COM>
From: "Randal L. Schwartz" <merlyn@STONEHENGE.COM>
X-To: Bill McKinnon <mckinnon@ISIS2000.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Bill McKinnon's message of "Wed, 16 Feb 2000 09:06:47 -0700"
>>>>> "Bill" == Bill McKinnon <mckinnon@ISIS2000.COM> writes:
>> Perl's open will dup other file descriptors if < is followed by &. This
>> isn't as potentially problematic as forking commands, but there may be
>> circumstances where someone could dup a filehandle and cause your script
>> to behave strangely/output sensitive information/etc.
There are two secure opening mechanisms (3 in perl 5.6 forthcoming).
sysopen() emulates the open(2) interface (without the normal magic),
and the following code handles arbitrary filenames to open:
$name = "./$name" unless $name =~ m{^/};
open FILE, "< $name" or die "...";
I believe this has been documented for quite some time. We can't
help people who don't read the docs.
Bill> Interesting. And for the curious, this doesn't seem to be noticed by
Bill> Perl's tainting mechanism, unless I'm misunderstanding something:
Bill> $ perl -T - '&PW'
Bill> open(PW, "/etc/passwd") or die "open(): $!\n";
Taint mode never complains about the data being passed to a filename
open for *input*. The data being read is tainted, however.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
