Sicheres öffnen von Files in perl

Peter J. Holzer hjp at wsr.ac.at
Thu Dec 30 02:58:30 CST 1999


Vorbemerkung: Man stelle sich vor, im perl-Fragment unten hätte $ARGV[0]
den Wert '@|rm -rf /', und das in einem suid-Script.

----- Forwarded message from Henrik Edlund <henrik at EDLUND.ORG> -----

Date:         Wed, 29 Dec 1999 16:20:38 +0100
From: Henrik Edlund <henrik at EDLUND.ORG>
Subject:      Re: majordomo local exploit
To: BUGTRAQ at SECURITYFOCUS.COM

> - -snip-
>
> # If the first argument is "@filename", read the real arguments
> # from "filename", and shove them onto the ARGV for later processing
> # by &Getopts()
> #
> if ($ARGV[0] =~ /^\@/) {
>     $fn = shift(@ARGV);
>     $fn =~ s/^@//;
>     open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");
>
> - -snip-

This security problem is as common as Perl scripts. Perl
programmers should always specify for open what they want to do
(read/write) and just not be lazy and skip that when they want to
read. A simple fix like:

open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped");

should fix this problem. As we specify that we are reading by
using the < (less than) the script will simple choke and say that
it can't open the filename starting with a | (pipe), instead of
running the filename. There is no need, I believe, to use the
sysopen function as someone else suggested earlier.

I believe this security hole has been covered in some other
advisory concerning all Perl (especially CGI) scripts.

--
Henrik Edlund
http://www.edlund.org/

  "They were in the wrong place at the wrong time.
Naturally they became heroes."
                  Leia Organa of Alderaan, Senator

----- End forwarded message -----

-- 
   _  | Peter J. Holzer             | Nobody should ever have to be
|_|_) | Sysadmin WSR / Obmann LUGA  | ashamed if they have a secret love
| |   | hjp at wsr.ac.at               | for writing computer programs that
__/   | http://wsrx.wsr.ac.at/~hjp/ | actually work.  -- Donald E. Knuth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 371 bytes
Desc: not available
Url : http://mail.pm.org/archives/vienna-pm/attachments/19991230/7c34c180/attachment.bin


More information about the Vienna-pm mailing list