note
Abigail-II
The problem doesn't like in magic open. The problem lies in
assuming world writeable directories are safe. Consider the
following program:
<code>
foreach my $file (@ARGV) {
open my $fh => ">", $file or die "Failed to open $file: $!\n";
print $fh "Buzzle\n";
close $fh or die "Failed to close $file: $!\n";
}
</code>
<p>
Or even:
<code>
foreach my $file (@ARGV) {
truncate $file, 0 or die "Failed to truncate $file: $!\n";
}
</code>
<p>
which doesn't even open a file, let alone use magic open.
If you call any of those programs in a world writeable directory with <tt>*</tt> as argument as root, you're open
for a DoS attack. All the attacker needs to do is create
a symbolic link in the directory, pointing to an important
file like <tt>/etc/passwd</tt> or <tt>/vmunix</tt>, and
<strong>KABOOM!</strong>.
<p>
It would very insecure to think that using 3-arg open will
fix your problems.
<p>
Abigail
258980
258980