[VPM] alternative to perl's Open?
Carl B. Constantine
cconstan at csc.uvic.ca
Tue Sep 7 14:24:55 CDT 2004
*On Tue Sep 07, 2004 at 09:57:08AM -0700, Peter Scott (Peter at PSDT.com) wrote:
> >Just a sec. You asked for an alternative to perl's open(). But the
> >exploit occurred through an unsafe argument being passed to wget. But
> >it seems highly unlikely that wget was invoked with either input set
> >to stdin or output set to stdout. So was open() involved at all? If
> >it was just a matter of getting a url from the user into $url and then
> >doing something like
> >
> > system("wget $url")
> >
> >then the answer is either to do regex validation of $url or to use the
> >list form of system() to bypass the shell.
>
> I think I misinterpreted you. The wget command wasn't in your
> code. The user inserted it with a '|' as part of a filename argument
> that ended up in an open() statement in your program. Right?
That is correct.
> What we're having trouble understanding is how a file upload CGI could
> do this given how CGI.pm does file uploads. So was the exploit via an
> open() statement in CGI.pm or in customer code? If the latter, what
> does that open() statement look like?
It was an exploit in the user script, not in CGI.pm. I can't answer what
the code looked like at present. I'll try to find out for you though.
--
Carl B. Constantine University of Victoria
Programmer Analyst http://www.csc.uvic.ca
UNIX System Administrator Victoria, BC, Canada
cconstan at csc.uvic.ca ELW B206, 721-8766
More information about the Victoria-pm
mailing list