[VPM] alternative to perl's Open?
Peter Scott
Peter at PSDT.com
Tue Sep 7 11:57:08 CDT 2004
At 09:45 AM 9/7/2004, I wrote:
>At 09:30 AM 9/7/2004, Carl B. Constantine wrote:
>>*On Tue Sep 07, 2004 at 09:24:55AM -0700, abez (abez at abez.ca) wrote:
>> >
>> > >From CGI.pm
>> > my $query = CGI->new;
>> > $filename = $query->param('uploaded_file');
>> > while(<$filename>) { print; }
>> >
>> > The file is saved to a tmp dir and then opened. $filename is the file
>> > handle. It doesn't matter what the user named their file.
>> >
>> > If you are running perl code that other people supply you really can't
>> > stop much. For instance they could have just forked a telnet daemon.
>> >
>> > I'd suggest running the perl scripts under a user who didn't have
>> > privileges to anything.
>>
>>They did just that. It was a user CGI (we use suExec) and they used a
>>pipe command to wget to get their stuff and run a daemon program
>>backdoor for entry into the box.
>>
>>It was quite nasty.
>
>Just a sec. You asked for an alternative to perl's open(). But the
>exploit occurred through an unsafe argument being passed to wget. But
>it seems highly unlikely that wget was invoked with either input set
>to stdin or output set to stdout. So was open() involved at all? If
>it was just a matter of getting a url from the user into $url and then
>doing something like
>
> system("wget $url")
>
>then the answer is either to do regex validation of $url or to use the
>list form of system() to bypass the shell.
I think I misinterpreted you. The wget command wasn't in your
code. The user inserted it with a '|' as part of a filename argument
that ended up in an open() statement in your program. Right?
What we're having trouble understanding is how a file upload CGI could
do this given how CGI.pm does file uploads. So was the exploit via an
open() statement in CGI.pm or in customer code? If the latter, what
does that open() statement look like?
--
Peter Scott
Pacific Systems Design Technologies
http://www.perldebugged.com/
*** New! *** http://www.perlmedic.com/
More information about the Victoria-pm
mailing list