[Purdue-pm] security exploits
Dave Jacoby
jacoby at purdue.edu
Tue Jan 20 10:18:39 PST 2009
Joe Kline wrote:
> Something of interest to us:
> http://use.perl.org/~Alias/journal/38319
> An oldy but a goody:
> http://insecure.org/news/P55-07
I was here when they started up PLUG, the campus Linux group, and one of
the first meetings had the president showing off his fancy SGI box. He
had a CGI program that would show certain system data on it. He said it
was secure. I tried it, in front of the LUG and everybody. I got it to
show /etc/passwd with a simple injection attack. And this was in the bad
old days before shadow passwords.
Last I knew, the guy worked for a computer security company.
I've been thinking about config files for a while, trying to roll my own
with eval. When I found I could put abstract code in my config and it
would run, I decided that was a non-starter.
So I did what I should've done in the first place and checked Perl Best
Practices. Conway suggests using a CPAN module,
Config::[General|Std|Tiny] to parse config files rather than parsing
them yourself. I tried Config::Std, and while it takes care of the
ickiness of abstract code, I didn't notice it doing any chmod testing.
PBP isn't about security but about coding better, so I'm not too
surprised. I'll have to work up a standward way of doing that.
I saw that Use Perl post but not the insecure.org one. Thanks.
--
Dave Jacoby Address: WSLR S049
Purdue Genomics Core Mail: jacoby at purdue.edu
Jabber: jacoby at jabber.org
Phone: hah!
More information about the Purdue-pm
mailing list