Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Using values from web-form input in a qx{ sprintf "blah %s blah", $input } without taint checking the $input first is not safe, never was, never should have been considered safe. If someone ever said "it's only a way to crash the program, no way to break in here", they were not listening to history. Running system commands with user input is always going to be a target of opportunity, you have to defend that in depth. You've got to check for buffer overrun (even if you can't see the buffer ) and ;'s and
    --
    Bill
    # I had a sig when sigs were cool
    use Sig;
    • I think what’s happening is that they’re doing something like this:

      printf "%${precision}d", $somenumber;

      where $precision derives from user input. This exposes Perl code to all the same format string vulnerabilities [wikipedia.org] that have commonly been found in C code. I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

      The right way to write that code, in the general case, is like so:

      $precision =~ s/%/%%/g;
      printf "%${precision}d", $somenumb

      • by jhi (318) <jhi@iki.fi> on 2005.11.30 6:32 (#44917) Homepage Journal
        > I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

        So I assume that you have long since reported this through perlbug and/or perl5-porters and since it's a security flaw also contacted the branch maintainers (Rafael and Nicholas) directly?

        • I think what he is saying is that it isn't a *core* Perl flaw but a flaw in programming methodology.

          • Well, let's say it's both. Perl could have been more paranoid, C lib could be more paranoid, Perl script authors should be more paranoid. Unclear but I suspect this bug is only usable when Taint mode should have been wasn't? MaintPerl already has patch 26420 http://www.nntp.perl.org/group/perl.perl5.changes/14020 [perl.org] , so Perl is now a bit more paranoid. The Ubuntu security team reports the problem as follows. Also patched in FC4 security updates and FC3 backport. Somewhere along the line the CVE# got typo
            --
            Bill
            # I had a sig when sigs were cool
            use Sig;
        • Huh? Should I also report the fact that open FH, $foo can be used for mischief if $foo derives from user input?

          And this isn’t even as openly dangerous.

          Cursory experimentation and a superficial browsing of the source suggests it’s not possible to corrupt perl’s stack using printf [perl.org], so this isn’t a vulnerability in perl. It is very well possible to inject unexpected %ns into the format string to make an application fall over, though, so it definitely constitutes a vulnerability in P