Re: Can System() of Perl be bypassed?

• Previous message: Ed Carp: "Re: Standards for developing secure software"
• In reply to: Brian Hatch: "Re: Can System() of Perl be bypassed?"
• Next in thread: Glynn Clements: "Re: Can System() of Perl be bypassed?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 24 Jan 2003 00:27:49 +0000
From: Luciano Miguel Ferreira Rocha <strange@nsk.no-ip.org>
To: secprog@securityfocus.com

On Thu, Jan 23, 2003 at 02:15:43PM -0800, Brian Hatch wrote:
> > my @args = ($Keywords,....);
> > my @cmd = ("$JAVA",
> > "-search.home=$SEARCH_HOME",
> > "Searcher",
> > @args);
> > system(@cmd) == 0) ||error();
> >
> > Need I be more paranoid than this and use my own regex to filter out
> > keywords my self?
 
> However I have no idea if those values could be used to
> break the program itself ($JAVA). If this program were
> running with greater privs (suid, CGI, etc) then they can
> supply a new $SEARCH_HOME path then they could cause their
> own code to run. If there are bad keywords then you aren't
> doing anything to get rid of them. (Or, preferably, only
> allowing good keywords.)

Java (at least Sun's sdk) ignores any options after a class or jar file,
and passes them to the application instead.

Regards,
Luciano Rocha

-- 
Consciousness: that annoying time between naps.

• Next message: Jason Coombs: "RE: PGP scripting..."
• Previous message: Ed Carp: "Re: Standards for developing secure software"
• In reply to: Brian Hatch: "Re: Can System() of Perl be bypassed?"
• Next in thread: Glynn Clements: "Re: Can System() of Perl be bypassed?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]