RE: Perl code security (CGI related)

• Previous message: Matthias Jim Knopf: "Re: Concerning Java and SSL (fwd)"
• Maybe in reply to: Rick Zhong: "Perl code security (CGI related)"
• Next in thread: jnf: "RE: Perl code security (CGI related)"
• Reply: jnf: "RE: Perl code security (CGI related)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon,  5 Apr 2004 15:42:05 -0700
To: isc00801@nus.edu.sg, secprog@securityfocus.com

Rick,

  All you need to do is figure out how to execute a shell
  command in perl code ... i imagine its something like:
  ---------------
  system("ls");
  ---------------

  So you would modify the value of "$default" such that it
  this:
  ---------------
  eval $code;
  ---------------

  looks like this, at runtime:
  ---------------
  eval "system(\"ls\");";
  ---------------

  Hope thats clear ....

-- Michael

-----Original Message-----
From: Rick Zhong [mailto:isc00801@nus.edu.sg]
Sent: Monday, 5 April 2004 10:08 PM
To: secprog@securityfocus.com
Subject: Perl code security (CGI related)

hi,
I was looking at this vulnerable cgi-code. i have tidy it a bit

====================================================
my $code = 'require '. "\"$default/" .$area. '.pm"; $lang ='. $area.
'->new();';

        eval $code;
====================================================

The $default is under user's control. My question is whether perl's eval
function allow execution of command such as "rm -rf *". Any execution
restriction of "eval"? I have tried on my perl v5.8. It seems the "eval
$code" can successfully change the behaviour of variables in the programs.
However it does not have any effect if $code is shell command such as
"rm -rf *"...

The cgi program is running on apache 2.0 running under user apache. Let
me
know if you need any details of my questions. It will be very helpful
if
you can give any demo code etc.

regards,
Rick

==========================================
Welcome to www.sinfosec.org
SINgapore <In>FOSECurity Interest Group

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

• Previous message: Matthias Jim Knopf: "Re: Concerning Java and SSL (fwd)"
• Maybe in reply to: Rick Zhong: "Perl code security (CGI related)"
• Next in thread: jnf: "RE: Perl code security (CGI related)"
• Reply: jnf: "RE: Perl code security (CGI related)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ksh silently ignores function if mistakenly not autoloaded ... Here's the order of execution. ... This really takes place prior to command ... Shell scripts, with all their power, have one major drawback - they ... In the Korn Shell, there are two separate syntaxes for defining ... (comp.unix.shell) Re: Spawning process with environment variables ... starting the shell). ... command on the fly. ... a single-line script to a shell for execution. ... execution of shell scripts instead of writing shell script controlling ... (comp.unix.programmer) Re: Linux measuring elapsed time for a shell command ... Peter Grossi wrote: ... > I am trying to measure the elapsed time for execution of a shell ... > the command output to a file or pipe the time statistics will only go ... (comp.os.linux.misc) Re: 16bit edit ... [[When a command is entered for execution by this shell, ... >>> on some other computers, it works perfectly under xp! ... (microsoft.public.windowsxp.configuration_manage) Re: MATLAB Code for a stop process button which ex ... especially in the while loop(for each script command starting in the ... % varargin command line arguments to stop_button ... % line_num is the order of execution. ... msgno = msgno+1; ... (comp.soft-sys.matlab)