Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: Re: Dangerous diamonds!

by dws (Chancellor)
on May 18, 2003 at 15:57 UTC ( #258993=note: print w/ replies, xml ) Need Help??


in reply to Re: Dangerous diamonds!
in thread Dangerous diamonds!

BTW, who runs oneliners as root? (i'd consider that a bug)

It's not just one-liners, and it's not just root. Any script that doesn't untaint ARGV is vulnerable. Partly, that vulnerability is incidental, given that once someone has broken into an account it is a lot easier for them to do damage directly, rather than wasting time attacking some Perl script.

Very few Perl books talk about ARGV being a vulnerability. Or if they do, it's in passing in one part of the book, with examples in other parts ignoring the hazard.


Comment on Re: Re: Dangerous diamonds!
Re: Re: Re: Dangerous diamonds!
by Juerd (Abbot) on May 18, 2003 at 16:18 UTC

    Any script that doesn't untaint ARGV is vulnerable.

    Which is this thread's lesson :)

    But I still think magic ARGV should not use two-arg open.

    Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://258993]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (7)
As of 2014-12-20 00:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (94 votes), past polls