Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re: Security with open() in CGI scripts

by smitz (Chaplain)
on Feb 26, 2002 at 12:16 UTC ( #147535=note: print w/ replies, xml ) Need Help??


in reply to Security with open() in CGI scripts

Something weird you should look out for that I came across late one night:

# parse $user_input $database="$user_input.db"; open(FILE "<$database");
Ok, whats the problem? CGI passes user_input=rfp , and the script tries to open rfp.db. (Lets ignore the ../../ stuff for now). Then it got interesting when I passed 'user_input=rfp%00'. Perl made $database="rfp\0.db", and then tried to open $database. The results?
It opened "rfp" (or would have, had it existed). What happened to the ".db"? As you probably know, Perl allows NULL characters in its variables as data. Unlike in C, NULL is not a string delimiter. But, the underlying system/kernel calls are programmed in C, which DOES recognize NULL as a delimiter. So the end result? Perl passes "rfp\0.db", but the underlying libs stop processing when they hit the first (our) NULL.
Im sure the brainpower of monks-combined (TM) could think of some nasty applications of this feature.

Update: I had intended to credit the author, RainForestPuppy, phrack mag 55-7. Sorry for the slip-up.

Tata

SMiTZ

Added update per user request - dvergin 2002-02-26


Comment on Re: Security with open() in CGI scripts
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://147535]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (12)
As of 2014-07-28 12:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (197 votes), past polls