|Perl: the Markov chain saw|
Re: Security with open() in CGI scriptsby smitz (Chaplain)
|on Feb 26, 2002 at 12:16 UTC||Need Help??|
Something weird you should look out for that I came across late one night:
Ok, whats the problem? CGI passes user_input=rfp , and the script tries to open rfp.db. (Lets ignore the ../../ stuff for now). Then it got interesting when I passed 'user_input=rfp%00'. Perl made $database="rfp\0.db", and then tried to open $database. The results?
It opened "rfp" (or would have, had it existed). What happened to the ".db"? As you probably know, Perl allows NULL characters in its variables as data. Unlike in C, NULL is not a string delimiter. But, the underlying system/kernel calls are programmed in C, which DOES recognize NULL as a delimiter. So the end result? Perl passes "rfp\0.db", but the underlying libs stop processing when they hit the first (our) NULL.
Im sure the brainpower of monks-combined (TM) could think of some nasty applications of this feature.
Update: I had intended to credit the author, RainForestPuppy, phrack mag 55-7. Sorry for the slip-up.
Added update per user request - dvergin 2002-02-26