[Full-disclosure] Re: Format String Vulnerabilities in Perl Programs



On Fri, 2 Dec 2005, Steven M. Christey wrote:

> In particular, the sprintf() and printf() functions in Perl can be
> abused if an attacker can control the contents of the format string.
> Since similar functions are used in C, it is possible that these
> functions will be used more frequently by C programmers who are new to
> Perl.
<<SNIP>>
> - for each programming language, identify and publicize all builtin
> or common library functions that use format strings.

For Perl projects, I'd also nominate syslog(), from the standard Sys::Syslog
module, for special attention. It's common in *NIX environments regardless
of programmers' backgrounds and is extremely likely to be called with
untrusted data interpolated directly in the format string argument --
syslog("info", "A user said $user_input"), for example.

Regards,
Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/