[Melbourne-pm] Security hole??

Sun Jan 29 03:00:48 PST 2006

Raphael Alla wrote:
> If this script is called security.cgi, and you invoke it like this:
> hostname/security.cgi?sub_name, then it will call the sub sub_name (it
> is a call of sub by reference).
> 
> Potentially a user can call any sub from any module which it has
> available to it. It is seen as a bad habit to give the right to anyone
> on the internet to execute any sub on your system, yet I fail to find a
> practical threat coming from this specific construct.

>     > *#!/usr/bin/perl
>     > my $sub = $ENV{QUERY_STRING};
>     > &{$sub};

This code in and of itself won't work.  It doesn't matter what
$ENV{QUERY_STRING} is, there aren't any subroutines to be invoked.  Assuming you
have subroutines that you are willing to invoke, there's a better solution
(better for all sorts of reasons such as obviousness, maintainability,
preventing accidents...) using a dispatch table.

	#!/usr/bin/perl -w
	use strict;

	my %dispatch = (
		sub1 => \&sub1,
		sub2 => \&sub2,
		# ...
	);

	my $sub = $ENV{QUERY_STRING};

	if(exists $dispatch{$sub}) {
		$dispatch{$sub}->();
	}
	else {
		die "unknown sub $sub";
	}

or something like that.  I haven't tested the above, nor slept for 2 nights.
Remove the if/else to get something more like your code.

Sure the code takes up more space, but it is strict compliant, limits the
subroutines that can be called and generally makes people who have to look at
your code happier.

As for specific security threats, it depends on what your subroutines do.  If
your code can be tricked into doing something that you didn't intend it to do,
there's a bug.  If you have *private* subroutines, which generate email, or
print reports, or display sensitive information, then this is a security hole.
Relying on your attacker not to guess the names of those subroutines, is
security through obscurity, and consequently a bad idea.  Ideally you should
code as if your attacker has access to read your source code.  They might.

If you don't have private subroutines, and you really are willing for *all*
subroutines that this file has access to, to be called; then the threat is
likely minimal.  Of course, someone will later go and add a private subroutine
to your code, and get confused when it gets called in strange circumstances...
Some security focus must be spent on future proofing your code, from a
maintainer who is focussing on something other than how clever you have been.

All the best,

	Jacinta

-- 
   ("`-''-/").___..--''"`-._          |  Jacinta Richardson         |
    `6_ 6  )   `-.  (     ).`-.__.`)  |  Perl Training Australia    |
    (_Y_.)'  ._   )  `._ `. ``-..-'   |      +61 3 9354 6001        |
  _..`--'_..-_/  /--'_.' ,'           | contact at perltraining.com.au |
 (il),-''  (li),'  ((!.-'             |   www.perltraining.com.au   |