Re: Can System() of Perl be bypassed?

From: Dana Epp (dana@vulscan.com)
Date: 01/22/03

Next message: Tom Arseneault: "RE: Can System() of Perl be bypassed?"

Previous message: Glynn Clements: "Re: Can System() of Perl be bypassed?"
In reply to: Sandeep Giri: "Can System() of Perl be bypassed?"
Next in thread: Tom Arseneault: "RE: Can System() of Perl be bypassed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Dana Epp" <dana@vulscan.com>
To: "Sandeep Giri" <sandeepgiri@indiatimes.com>, <secprog@securityfocus.com>
Date: Wed, 22 Jan 2003 14:26:17 -0800

Never trust user input. Assume it is malicious input unless you find
otherwise.

Perl is an awesome language for regex checking. It is very possible to
misuse the system() command in Perl if you are just shoving user arguments
directly to the system() call.

Consider determining what exactly the arguments are supposed to look like,
and validate it as it comes from the untrusted boundry (the argument itself)
into the trusted boundry where you are about to use it (your code). As an
example, if the Perl script is expecting an integer value (maybe a port
number for instance) validate that its actually an integer value between two
particular numbers. The same would go for any other argument you are looking
for.

To learn more on what taint mode is actually good for, check out:
http://gunther.web66.com/FAQS/taintmode.html

A combination of user input validation with taint may work for you, but
taint alone should not be considered enough. Remember all taint does is sets
the perl interprator into a paranoid mode and expects everything to be bad
(a good thing (tm) ). However, you still need to validate the data itself.

---
Regards,
Dana M. Epp
----- Original Message -----
From: "Sandeep Giri" <sandeepgiri@indiatimes.com>
To: <secprog@securityfocus.com>
Sent: Tuesday, January 21, 2003 11:03 PM
Subject: Can System() of Perl be bypassed?
>
>
> Hi All,
> In my PERL code,I am using user's input as command line argument for the
> program being executed by System().
> Can user run command of his choice by giving malicious input?
> Is PERL's -T (Taint mode) the solution for this?
>
> Thanks.
>
> Sandeep Giri
>

Next message: Tom Arseneault: "RE: Can System() of Perl be bypassed?"
Previous message: Glynn Clements: "Re: Can System() of Perl be bypassed?"
In reply to: Sandeep Giri: "Can System() of Perl be bypassed?"
Next in thread: Tom Arseneault: "RE: Can System() of Perl be bypassed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Can System() of Perl be bypassed?
... It is actually is covered in Perl documentation. ... Still if you let arbitrary user input as an argument to some program ... SG> Can user run command of his choice by giving malicious input? ... SG> Is PERL's -T (Taint mode) the solution for this? ...
(SecProg)
Re: where should perl create a file for user download?
... > I am writing a small perl script that takes user input via a Web form, ... I am running perl 5.8 ... > can anyone offer some expert advice concerning where on my server to put the ...
(perl.beginners)
where should perl create a file for user download?
... I am writing a small perl script that takes user input via a Web form, ... can anyone offer some expert advice concerning where on my server to put the ...
(perl.beginners)
Re: Javascript Vs Perl RegExp
... > I code Perl for CGI, I using regular expression to check the validation ... > of user input, because the form is small and it run only from my own ... > slow due to Perl is run under server. ...
(comp.lang.javascript)
Re: Webserver relaying mail
... One thing you might try (if you know Perl) is running the script with taint checking turned on. ... You should have all your Perl scripts running with taint checking turned on. ... > allow relaying, but then got notified he was relaying mail. ...
(Security-Basics)