[VPM] alternative to perl's Open?

Peter Scott Peter at PSDT.com
Tue Sep 7 11:45:41 CDT 2004


At 09:30 AM 9/7/2004, Carl B. Constantine wrote:
>*On Tue Sep 07, 2004 at 09:24:55AM -0700, abez (abez at abez.ca) wrote:
> >
> > >From CGI.pm
> >         my $query = CGI->new;
> >         $filename = $query->param('uploaded_file');
> >         while(<$filename>) { print; }
> >
> > The file is saved to a tmp dir and then opened. $filename is the file
> > handle. It doesn't matter what the user named their file.
> >
> > If you are running perl code that other people supply you really can't
> > stop much. For instance they could have just forked a telnet daemon.
> >
> > I'd suggest running the perl scripts under a user who didn't have
> > privileges to anything.
>
>They did just that. It was a user CGI (we use suExec) and they used a
>pipe command to wget to get their stuff and run a daemon program
>backdoor for entry into the box.
>
>It was quite nasty.

Just a sec.  You asked for an alternative to perl's open().  But the 
exploit occurred through an unsafe argument being passed to wget.  But 
it seems highly unlikely that wget was invoked with either input set to 
stdin or output set to stdout.  So was open() involved at all?  If it 
was just a matter of getting a url from the user into $url and then 
doing something like

         system("wget $url")

then the answer is either to do regex validation of $url or to use the 
list form of system() to bypass the shell.

-- 
Peter Scott
Pacific Systems Design Technologies
http://www.perldebugged.com/
*** New! *** http://www.perlmedic.com/



More information about the Victoria-pm mailing list