<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2668" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Voltei para o mesmo principio,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>fui colocar as variaves no script original ele nao
aceita</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>#!/usr/bin/perl</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>use CGI;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>my $query = new CGI;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>my $ip = $query->param('ip');</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>print $query->header;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>$ENV{'PATH'} = '/bin:/usr/bin';</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><STRONG>$cat = `cat
/usr/local/squid/logs/access.log | grep $ip`;</STRONG></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>print "oi $cat";<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>agora se eu colocar</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><STRONG>$cat = `cat
/usr/local/squid/logs/access.log | grep <FONT
color=#ff0000>192.168.0.7</FONT>`;</STRONG></FONT></DIV>
<DIV><FONT face=Arial size=2><STRONG></STRONG></FONT> </DIV>
<DIV><FONT face=Arial size=2>ai executa normal.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>pq?</DIV></FONT>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=perl@atechs.com.br href="mailto:perl@atechs.com.br">Vinicius
Alves</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cascavel-pm@pm.org
href="mailto:cascavel-pm@pm.org">Cascavel Perl Mongers</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, August 04, 2005 9:03
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Cascavel-pm] Erro estranho
no Perl v5.8.6</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Não chamaria de frescura, é a forma do Perl
evitar que a gente dê um tiro no próprio pé. Tem como passar por cima
disto não usando o -T ou chamando as funções system(), exec() ou o open com
pipe através da forma com listas. Tirando do perlsec:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><!--StartFragment --> <PRE>exec "echo $arg"; # Insecure
exec "echo", $arg; # Secure (doesn't use the shell)
exec "sh", '-c', $arg; # Considered secure, alas!</PRE><PRE><FONT face=Arial>Vê que ele não faz verificação de dados inseguros quando se usa a forma com vários argumentos.</FONT></PRE><PRE><FONT face=Arial></FONT> </PRE><PRE><FONT face=Arial>[]´s<BR></FONT><FONT face=Arial>Vinicius</FONT></PRE></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=sammuel.souza@gmail.com
href="mailto:sammuel.souza@gmail.com">Sammuel de Souza</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cascavel-pm@pm.org
href="mailto:cascavel-pm@pm.org">Cascavel Perl Mongers</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, August 04, 2005 7:53
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Cascavel-pm] Erro
estranho no Perl v5.8.6</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Esse erro é frescura do PERL ou é alguma coisa
na instalaçao???</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>fiz assim para arrumar</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>$ENV{PATH} = '';<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>$cat = `/bin/cat
/usr/local/squid/logs/access.log | /usr/bin/awk \'{print
\$3":.:"\$4":.:"\$6":.:"\$7":.:"\$10"<br>"}\' | /usr/bin/grep
$ip`;<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>e funcionou.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>(aleluia depois de 4 dias apanhando para isso,
LOL)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>[]'s Douglas</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=perl@atechs.com.br href="mailto:perl@atechs.com.br">Vinicius
Alves</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cascavel-pm@pm.org
href="mailto:cascavel-pm@pm.org">Cascavel Perl Mongers</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, August 04, 2005 8:37
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Cascavel-pm] Erro
estranho no Perl v5.8.6</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Sammuel,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Você tem que "limpar" suas varáveis de
ambiente:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><!--StartFragment --><FONT
face="Times New Roman" size=3> </FONT> $ENV{'PATH'} =
'/bin:/usr/bin';<BR> delete @ENV{'IFS', 'CDPATH', 'ENV',
'BASH_ENV'};</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2>Veja <A
href="http://www.perl.com/doc/manual/html/pod/perlsec.html">http://www.perl.com/doc/manual/html/pod/perlsec.html</A> para
mais informações.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>[]´s</FONT></DIV>
<DIV><FONT face=Arial size=2>Vinicius</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=sammuel.souza@gmail.com
href="mailto:sammuel.souza@gmail.com">Sammuel de Souza</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=cascavel-pm@mail.pm.org
href="mailto:cascavel-pm@mail.pm.org">Cascavel Perl Mongers</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, August 04, 2005
7:18 PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Cascavel-pm] Erro
estranho no Perl v5.8.6</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Fiz como vc falou</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>fiz um script menor para ver se resolvo o
problema.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>coloquei </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>use diagnostics;</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Codigo</FONT></DIV>
<DIV><FONT face=Arial
size=2><STRONG>#!/usr/bin/perl</STRONG></FONT></DIV>
<DIV><STRONG></STRONG> </DIV>
<DIV><FONT face=Arial size=2><STRONG>use
diagnostics;</STRONG></FONT></DIV>
<DIV><STRONG></STRONG> </DIV>
<DIV><FONT face=Arial size=2><STRONG>use CGI;</STRONG></FONT></DIV>
<DIV><STRONG></STRONG> </DIV>
<DIV><FONT face=Arial size=2><STRONG>my $query = new
CGI;</STRONG></FONT></DIV>
<DIV><STRONG></STRONG> </DIV>
<DIV><FONT face=Arial size=2><STRONG>print
$query->header;</STRONG></FONT></DIV>
<DIV><STRONG></STRONG> </DIV>
<DIV><FONT face=Arial size=2><STRONG>$impr = `/bin/cat
/usr/local/www/cgi-bin/aa.log`;</STRONG></FONT></DIV>
<DIV><STRONG></STRONG> </DIV>
<DIV><FONT face=Arial size=2><STRONG>print "teste:
$impr";<BR></STRONG></FONT></DIV>
<DIV><FONT face=Arial size=2><STRONG></STRONG></FONT> </DIV>
<DIV><FONT face=Arial size=2>quando acesso via Internet explorer veja o
httpd-error.log</DIV></FONT>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Insecure $ENV{PATH} while running setuid
at<BR>
/usr/local/www/cgi-bin/sam.cgi line 11 (#1)<BR> (F)
You can't use system(), exec(), or a piped open in a setuid
or<BR> setgid script if any of $ENV{PATH}, $ENV{IFS},
$ENV{CDPATH},<BR> $ENV{ENV}, $ENV{BASH_ENV} or
$ENV{TERM} are derived from data<BR> supplied (or
potentially supplied) by the user. The script must
set<BR> the path to a known value, using trustworthy
data. See perlsec.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Uncaught exception from user
code:<BR> Insecure $ENV{PATH}
while running setuid at /usr/local/www/cgi-bin/sam.cgi line
11.<BR> at /usr/local/www/cgi-bin/sam.cgi line 11<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Agora qnd digit via prompt
veja</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2># ./sam.cgi</FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>ele executa normal...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Server version: Apache/1.3.33 (Unix)
PHP/5.0.4 mod_perl/1.29</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>o que esta acontecendo???</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>[]'s Douglas</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2></FONT><FONT
size=2></FONT> </DIV></FONT>
<P>
<HR>
<P></P>_______________________________________________<BR>Cascavel-pm
mailing
list<BR>Cascavel-pm@pm.org<BR>http://mail.pm.org/mailman/listinfo/cascavel-pm
<P>
<HR>
<P></P>No virus found in this incoming message.<BR>Checked by AVG
Anti-Virus.<BR>Version: 7.0.338 / Virus Database: 267.10.1/64 - Release
Date: 4/8/2005<BR></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>Cascavel-pm
mailing
list<BR>Cascavel-pm@pm.org<BR>http://mail.pm.org/mailman/listinfo/cascavel-pm</BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>Cascavel-pm
mailing
list<BR>Cascavel-pm@pm.org<BR>http://mail.pm.org/mailman/listinfo/cascavel-pm
<P>
<HR>
<P></P>No virus found in this incoming message.<BR>Checked by AVG
Anti-Virus.<BR>Version: 7.0.338 / Virus Database: 267.10.1/64 - Release
Date: 4/8/2005<BR></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>Cascavel-pm mailing
list<BR>Cascavel-pm@pm.org<BR>http://mail.pm.org/mailman/listinfo/cascavel-pm</BLOCKQUOTE></BODY></HTML>