> Is there a good tutorial on untainting data received via a cgi script?
If you look at the message right before yours, you'll see a link.
http://www.easystreet.com/~ovid/cgi_course/lesson_three/lesson_three.html
Best Regards,
JOSHUA D. HAYDEN
Owner/Operator of www.PinnacleSiteDesign.com
----- Original Message -----
From: "Rob" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 26, 2002 5:50 PM
Subject: Re: Very serious security hole in your script
> Is there a good tutorial on untainting data received via a cgi script?
>
> On Tue, 26 Feb 2002, Curtis Poe wrote:
>
> > --- erotomek <[EMAIL PROTECTED]> wrote:
> > > ALWAYS USE THE TAINT MODE !!!
> > >
> > > Use the -T switch:
> > >
> > > #!/usr/bin/perl -wT
> > >
> > > and untaint the $file variable:
> > >
> > > die 'INSECURE $file !!!' if $file =~ /\.\./;
> > > if ($file =~ /^([-\w./]+)$/) { $file = $1 }
> > > else { die 'INSECURE $file !!!' }
> > >
> > > and now you can use it.
> >
> > You supplied some great information, however, your example of plugging
the security hole has a
> > security hole itself. From the command line on any *nix system, enter
the following (assuming you
> > are not in root):
> >
> > cd \.\.
> >
> > You quickly discover that the shell allows those dots to be escaped. In
a url, that translates to
> > something like:
> >
> > %5c.%5c.%2F%5c.%5c.%2Fetc%2Fpasswd
> >
> > (That's "\.\./\.\./etc/passwd")
> >
> > Many variations of that can be tried to find out if their is a security
hole. If you must allow
> > the user to specify a file name, get rid of any ASCII zeroes in the file
name (to prevent NUL byte
> > hacks -- I explain that at
> >
http://www.easystreet.com/~ovid/cgi_course/lesson_three/lesson_three.html
under the title "Poison
> > Null byte"). Then, you can use File::Path to get the real filename.
Even then, though, I'm leery
> > of allowing the user data near the shell, but sometimes it is necessary.
> >
> > Cheers,
> > Curtis "Ovid" Poe
> >
> > =====
> > "Ovid" on http://www.perlmonks.org/
> > Someone asked me how to count to 10 in Perl:
> > push@A,$_ for reverse q.e...q.n.;for(@A){$_=unpack(q|c|,$_);@a=split//;
> > shift@a;shift@a if $a[$[]eq$[;$_=join q||,@a};print $_,$/for reverse @A
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Sports - Coverage of the 2002 Olympic Games
> > http://sports.yahoo.com
> >
>
> --
> Rob
>
> Good judgement comes from experience, and experience -
> well, that comes from poor judgement.
>
>
>
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
