[21098] in bugtraq
Re: udirectory from Microburst Technologies remote command execution
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Tue Jun 19 11:19:34 2001
Date: Tue, 19 Jun 2001 15:22:53 +0200 (MET DST)
From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
To: bugtraq@securityfocus.com
In-Reply-To: <200106181625.JAA13441@mail18.bigmailbox.com>
Message-ID: <20010619150140.12E3.0@argo.troja.mff.cuni.cz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 18 Jun 2001, Deja User wrote:
> $value =~ s/(\.\.|\|$)//g;
Try $value = "echo gotcha|..".
Omitting $ in s/(\.\.|\|$)//g would not be perfect either because one
could synthetize ".." from ".|." (OTOH, it would not allow execution of
commands).
The point is s/PATTERN//g removes occurences of PATTERN in the original
string but (unless PATTERN is rather special, like a set of single
characters, e.g. [abc], or a repeated character, e.g. aaa or a*) it can
create new occurences.
The best thing you can do is to refuse to process a "poisoned" value
rather than try to "neutralize" it. Another approach, still quite safe,
is to filter out *all but known-to-be-harmless* characters with tr///.
Anything else is too error-prone, IMHO.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
