[Purdue-pm] security exploits

Dave Jacoby jacoby at purdue.edu
Tue Jan 20 10:18:39 PST 2009

Joe Kline wrote:
> Something of interest to us:
> http://use.perl.org/~Alias/journal/38319

> An oldy but a goody:
> http://insecure.org/news/P55-07

I was here when they started up PLUG, the campus Linux group, and one of 
the first meetings had the president showing off his fancy SGI box. He 
had a CGI program that would show certain system data on it. He said it 
was secure. I tried it, in front of the LUG and everybody. I got it to 
show /etc/passwd with a simple injection attack. And this was in the bad 
old days before shadow passwords.

Last I knew, the guy worked for a computer security company.

I've been thinking about config files for a while, trying to roll my own 
with eval. When I found I could put abstract code in my config and it 
would run, I decided that was a non-starter.

So I did what I should've done in the first place and checked Perl Best 
Practices. Conway suggests using a CPAN module, 
Config::[General|Std|Tiny] to parse config files rather than parsing 
them yourself. I tried Config::Std, and while it takes care of the 
ickiness of abstract code, I didn't notice it doing any chmod testing. 
PBP isn't about security but about coding better, so I'm not too 
surprised. I'll have to work up a standward way of doing that.

I saw that Use Perl post but not the insecure.org one. Thanks.

Dave Jacoby                         Address: WSLR S049
Purdue Genomics Core                Mail:    jacoby at purdue.edu
                                     Jabber:  jacoby at jabber.org
                                     Phone:   hah!

More information about the Purdue-pm mailing list