>"Jonathan E. Paton" <[EMAIL PROTECTED]> wrote:
>>> something like opening a file, but can somebody
>>> show me how example below can compromise my website?
>>>
>>> open(F, "/home/users/me/web/$in{'NAME'}.ext");
>>
>> What if $in{'NAME'} started with "../../../../tmp/"?
>>
>> Now, if in the tmp directory a link was created with
>> that file extension, then they could open anything
>> according to your scripts permissions. Scary, but
>> not far fetched - it's a frequently exploited idea.
>
> That's true but this is not of my primary concern
> (there are no crackers with telnet access to the
> site :))
That'd make your script a possible target for further
defeating your security. Since it probably runs as
"nobody" then it's unlikely it can benefit a hacker.
Getting that telnet account is probably quite hard, on
an appropriately secured box anyway.
However, the fact that this *could* be exploited means
that you shouldn't overlook it... unless the overall
security and importance of that server isn't that high
anyway - on an intranet for example.
>>> I'm thinking more of other scary possibility, that
>>> web visitors can execute commands abusing ';' or '|'.
>>> Does something like '; rm * ;' can actually execute?
>>> (note suffix '.ext')
>>
>> Not in this instance, $in{'NAME'} must result in a
>> string,
>
> Yes %in is filled with parsed user variables, so I'm
> safe than, huh? :)
I don't think the shell is called to resolve the
"/home/users/me/web/$in{'NAME'}.ext" bit, and therefore
you cannot run commands with it. Then again, I might be
completely wrong. Read:
perldoc perlopentut
perldoc -f open
>> It can't magically turn into a subroutine call... unless
>> it's a tied hash - which you'd definately know about.
>
> No, actually I don't, could you point me somewhere to
> perldoc?
A tied hash is magic, it makes an object look like a mere
hash. When you access the hash in any way it calls methods
(subroutines) of the object. It's not a security risk as
such, and only a side interest. Documentation is at:
perldoc perltie
>> At the top of your script use:
>>
>> #!/usr/bin/perl -wT
>>
>> This code won't even work, since it'll be reported as
>> insecure. When you've worked that bit out, you'll be
>> back for a way of untainting your data ;-) We'll be
>> waiting!
>
> Tnx, I've read somewhere about -T switch but right now
> don't have time to toy with, variable filtering works
> nicely.
-T is for taint mode, the draconian approach to secure
programming. It 'taints' data which comes from outsite
the script, and forces you to 'untaint' it using regular
expressions. Worth learning, if security matters.
perldoc perlsec
Jonathan Paton
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page from News and Sport to Email and Music
Charts
http://uk.my.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
