OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: majordomo local exploit

Re: majordomo local exploit

Subject: Re: majordomo local exploit
From: Jefferson Ogata (jogataNODC.NOAA.GOV)
Date: Wed Dec 29 1999 - 20:24:58 CST

Henrik Edlund wrote:
[majordomo Perl vulnerability discussion snipped]
> This security problem is as common as Perl scripts. Perl
> programmers should always specify for open what they want to do
> (read/write) and just not be lazy and skip that when they want to
> read. A simple fix like:
>
> open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped");
>
> should fix this problem. As we specify that we are reading by
> using the < (less than) the script will simple choke and say that
> it can't open the filename starting with a | (pipe), instead of
> running the filename. There is no need, I believe, to use the
> sysopen function as someone else suggested earlier.
>
> I believe this security hole has been covered in some other
> advisory concerning all Perl (especially CGI) scripts.

Perl programmers should always use the taint flag (-T), full warnings (-w), and
the strict module, and just not be lazy, period! These should be considered
mandatory in code that will be distributed as part of any automated system,
regardless of setuid execution. With taint enabled, the programmer would have
had to define the allowable range of arguments by untainting them, and this
problem would not exist.

Taint is there. Use it! Reliance on filename semantics for security is not the
Proper Way.

Also, require 5.004_05 or newer. Unfortunately, 5.004_04 has a somewhat obscure
taint bug.

Happy new year! 

--
Jefferson Ogata <jogatanodc.noaa.gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos

This archive was generated by hypermail 2b27 : Thu Dec 30 1999 - 12:05:58 CST