[8524] in bugtraq
Re: Several new CGI vulnerabilities
daemon@ATHENA.MIT.EDU (Lincoln Stein)
Fri Nov 13 11:16:22 1998
Date: Thu, 12 Nov 1998 12:34:48 -0500
Reply-To: lstein@cshl.org
From: Lincoln Stein <lstein@CSHL.ORG>
X-To: Olaf Titz <olaf@bigred.inka.de>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <E0zdvTH-0003Ay-00@danube.inka.de>
I apologize to the readers of the list. I was being inexcusably
sloppy by not checking the result codes. I was just trying to
illustrate the Perl feature of passing exec a list rather than a
string, and I allowed the temptation of being cute and idiomatic to
interfere with good code writing practices.
The result of the open() call should be checked as well as the
exec(). If either fails, the program should immediately exit.
Lincoln
Olaf Titz writes:
> > open (MAIL,"|-") || exec '/usr/lib/sendmail','-t','-oi';
>
> This gets "interesting" when fork fails. You then have the sendmail
> process connected directly to the client. Perhaps it is even possible
> to exploit this by simply overloading the server.
>
> Check for the success of the fork like this:
>
> $pid=open(MAIL, "|-");
> defined ($pid) || die "fork: $!";
> if (!$pid) { exec '/usr/lib/sendmail', '-t', '-oi' || exit 255; }
>
> or even:
>
> do { $pid=open(MAIL, "|-"); last if defined($pid); sleep 10; } while (1);
> if (!$pid) { exec '/usr/lib/sendmail', '-t', '-oi' || exit 255; }
>
> Olaf
--
========================================================================
Lincoln D. Stein Cold Spring Harbor Laboratory
lstein@cshl.org Cold Spring Harbor, NY
========================================================================
