[Melbourne-pm] Security hole??
Alfie John
alfiejohn at acm.org
Sun Jan 29 02:54:45 PST 2006
Hi,
On 29/01/2006, at 9:33 PM, Raphael Alla wrote:
> If this script is called security.cgi, and you invoke it like this:
> hostname/security.cgi?sub_name, then it will call the sub sub_name
> (it is a call of sub by reference).
>
> Potentially a user can call any sub from any module which it has
> available to it. It is seen as a bad habit to give the right to
> anyone on the internet to execute any sub on your system, yet I
> fail to find a practical threat coming from this specific construct.
>
Pointing to 'http://localhost/test.cgi?what_is_my_password' would do
the trick.
--- 8< ---
#!/usr/bin/perl
print "Content-type: text/html\n\n";
my $sub = $ENV{'QUERY_STRING'};
&{$sub};
sub what_is_my_password
{
print q{your password is '0wn3d'};
}
--- >8 ---
However, is this a practical threat? Not really since you are doing
sanity checking. Aren't you ;)
Alfie
> R.
>
> On 1/29/06, David Dick <david_dick at iprimus.com.au> wrote:
>
>
> Raphael Alla wrote:
> > *Let's condider the following perl cgi script. I cannot find a
> practical
> > way to use it as a security hole. Any suggestion?
> >
> > *#!/usr/bin/perl
> > my $sub = $ENV{QUERY_STRING};
> > &{$sub};
>
> maybe i'm just a little tired after the weekend, but this script would
> appear to not do anything apart from cause an error. What are you
> trying
> to achieve?
>
>
>
>
> --
> Raphael Alla
> Mitija Australia
> +61 4 15 678 576
>
> Premium open source accounting for Australia
> http://www.thetravelingaccountant.com
> _______________________________________________
> Melbourne-pm mailing list
> Melbourne-pm at pm.org
> http://mail.pm.org/mailman/listinfo/melbourne-pm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pm.org/pipermail/melbourne-pm/attachments/20060129/a12ea977/attachment.html
More information about the Melbourne-pm
mailing list