[13930] in bugtraq

home help back first fref pref prev next nref lref last post

Re: perl-cgi hole in UltimateBB by Infopop Corp.

daemon@ATHENA.MIT.EDU (Dennis Taylor)
Fri Feb 18 20:38:31 2000

Mail-Followup-To: Brock Sides <bsides@TOWERY.COM>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id:  <20000218134009.A499@funkplanet.com>
Date:         Fri, 18 Feb 2000 13:40:09 -0800
Reply-To: Dennis Taylor <dennis@FUNKPLANET.COM>
From: Dennis Taylor <dennis@FUNKPLANET.COM>
X-To:         Brock Sides <bsides@TOWERY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.LNX.4.10.10002171020110.14242-100000@koala.towery.com>;
              from bsides@TOWERY.COM on Thu, Feb 17, 2000 at 10:33:07AM -0600

On Thu, Feb 17, 2000 at 10:33:07AM -0600, Brock Sides wrote:

> Perl's tainting mechanism only comes into play if you are invoking a
> external command in some way: via system, exec, backticks, or
> opening a filehandle to or from a pipe. For example,

	Not quite true. Tainting will block any of the following
operations, as near as I can tell from a cursory perusal of the
source:

   - require()ing or use()ing a Perl library
   - unlinking a file
   - using the "glob" operator for expanding shell wildcards
   - opening a file for writing
   - in-place editing with the -i option
   - changing the "user" component of your umask
   - truncating a file via the truncate() function
   - calling the ioctl() or fcntl() functions
   - creating, binding, or connecting a new socket or socketpair
   - changing directories
   - calling chroot()
   - renaming/moving a file
   - linking a file (either link() or symlink())
   - creating a new directory
   - removing a directory
   - executing an external command with a pipe (backticks, open"|", etc.)
   - executing an external command with a fork and exec (system())
   - executing an external command with exec()
   - setpgrp() and setpriority()
   - manually making a syscall with syscall()

	...and probably a few others I've overlooked. Using -T in your
CGI script may not automagically make your program "secure", but it's
definitely a big step in the right direction.

_________________________________________________________________________
Dennis Taylor           "Anyone whose days are all the same and free from
dennis@funkplanet.com    want inhabits eternity of a sort."  - Peter Hoeg
_________________________________________________________________________
   PGP Fingerprint: E8D6 9670 4FBD EEC3 6C6B  810B 2B30 E529 51BD 7B90
home help back first fref pref prev next nref lref last post