Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Re: Security with open() in CGI scripts

by smitz (Chaplain)
on Feb 26, 2002 at 12:16 UTC ( #147535=note: print w/ replies, xml ) Need Help??

in reply to Security with open() in CGI scripts

Something weird you should look out for that I came across late one night:
# parse $user_input $database="$user_input.db"; open(FILE "<$database");
Ok, whats the problem? CGI passes user_input=rfp , and the script tries to open rfp.db. (Lets ignore the ../../ stuff for now). Then it got interesting when I passed 'user_input=rfp%00'. Perl made $database="rfp\0.db", and then tried to open $database. The results?
It opened "rfp" (or would have, had it existed). What happened to the ".db"? As you probably know, Perl allows NULL characters in its variables as data. Unlike in C, NULL is not a string delimiter. But, the underlying system/kernel calls are programmed in C, which DOES recognize NULL as a delimiter. So the end result? Perl passes "rfp\0.db", but the underlying libs stop processing when they hit the first (our) NULL.
Im sure the brainpower of monks-combined (TM) could think of some nasty applications of this feature.

Update: I had intended to credit the author, RainForestPuppy, phrack mag 55-7. Sorry for the slip-up.



Added update per user request - dvergin 2002-02-26

Comment on Re: Security with open() in CGI scripts
Select or Download Code

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://147535]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (3)
As of 2016-05-29 04:06 GMT
Find Nodes?
    Voting Booth?