[VPM] alternative to perl's Open?

Carl B. Constantine cconstan at csc.uvic.ca
Tue Sep 7 14:24:55 CDT 2004

*On Tue Sep 07, 2004 at 09:57:08AM -0700, Peter Scott (Peter at PSDT.com) wrote:
> >Just a sec.  You asked for an alternative to perl's open().  But the 
> >exploit occurred through an unsafe argument being passed to wget.  But 
> >it seems highly unlikely that wget was invoked with either input set 
> >to stdin or output set to stdout.  So was open() involved at all?  If 
> >it was just a matter of getting a url from the user into $url and then 
> >doing something like
> >
> >        system("wget $url")
> >
> >then the answer is either to do regex validation of $url or to use the 
> >list form of system() to bypass the shell.
> I think I misinterpreted you.  The wget command wasn't in your 
> code.  The user inserted it with a '|' as part of a filename argument 
> that ended up in an open() statement in your program.  Right?

That is correct.

> What we're having trouble understanding is how a file upload CGI could 
> do this given how CGI.pm does file uploads.  So was the exploit via an 
> open() statement in CGI.pm or in customer code?  If the latter, what 
> does that open() statement look like?

It was an exploit in the user script, not in CGI.pm. I can't answer what
the code looked like at present. I'll try to find out for you though.

Carl B. Constantine         University of Victoria
Programmer Analyst          http://www.csc.uvic.ca
UNIX System Administrator   Victoria, BC, Canada
cconstan at csc.uvic.ca        ELW B206, 721-8766

More information about the Victoria-pm mailing list