Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

statico (5018)

statico
  ian.langworthNO@SPAMgmail.com
http://langworth.com/
AOL IM: eisforian (Add Buddy, Send Message)

PAUSE-ID: IAN [cpan.org]

Co-author of Perl Testing: A Developer's Notebook [oreilly.com]

Journal of statico (5018)

Tuesday December 13, 2005
12:34 AM

my code is gold

[ #27954 ]

This past Spring, at some point in my Software Development class, I had an opportunity to mimic a joke I once heard. Professor, I said, all my code is perfect. I assume that any bugs I find are in the Perl language itself. It was funny because it was so absurd. We all laughed and chortled.

Now, it's not funny anymore. A claim with this level of silliness has appeared.

First, consider the basics of trusting user input. Would you ever write the following CGI script?

#!/bin/sh
echo "Content-type: text/plain"
echo
eval $QUERY_STRING

Somewhere, halfway around the world, a kid punches in http://example.com/~you/test.cgi?rm%20-rf%20" and erases what he can of your hard drive and attached storage. The consequences are obvious.

After this occurred, however, would you blame sh? Is every implementation of sh around the planet broken? Of course not. So why is Webmin blaming Perl for a similar mistake?

Perl syslog bug attack

Effects Webmin versions below 1.250 and Usermin versions below 1.180, with
syslog logging enabled.

    When logging of failing login attempts via syslog is enabled, an
    attacker can crash and possibly take over the Webmin webserver, due to
    a bug in Perl's syslog function. [...]

Take a look at the vulnerability details. Webmin passes some user input right to sprintf, which is known to be about as safe to pass user input to as the eval keyword. Yet, the developers blame Perl.

(A correction has been emailed.)

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • There is change in the Apache logging API starting at 2.0.49 which escapes data written to the error logs. See this link on the mod_perl [apache.org] website. So their may be some concern for those running webmin as root. But in my experience, it's always preferable to run daemons as non privileged users whenever possible.
  • After some communcation, the description of the security notice on the Webmin site has been updated, but the incorrect title remains.
    --
    qw(Ian Langworth)
  • More details at the Perl foundation weblog [perlfoundation.org].
  • The title has been fixed, plus there's an announcement [perl.org] on the use Perl; main page.
    --
    qw(Ian Langworth)
  • Let's see. Webmin uses Sys::Syslog, whose syslog function, unlike its C-library cousin, passes its arguments to sprintf, a Perl function that contains an integer overflow bug. sprintf also happily accepts tainted data.

    Yet you claim the fault lies entirely at the side of webmin.

    I disagree. Sure, webmin has a fault, but the results of the fault wouldn't be as damaging as they are now because of the overflow bug in sprintf.