in reply to Security with open() in CGI scripts
Something weird you should look out for that I came across late one night:
It opened "rfp" (or would have, had it existed). What happened to the ".db"? As you probably know, Perl allows NULL characters in its variables as data. Unlike in C, NULL is not a string delimiter. But, the underlying system/kernel calls are programmed in C, which DOES recognize NULL as a delimiter. So the end result? Perl passes "rfp\0.db", but the underlying libs stop processing when they hit the first (our) NULL.
Im sure the brainpower of monks-combined (TM) could think of some nasty applications of this feature.
Ok, whats the problem? CGI passes user_input=rfp, and the script tries to open rfp.db. (Lets ignore the ../../ stuff for now). Then it got interesting when I passed 'user_input=rfp%00'. Perl made $database="rfp\0.db", and then tried to open $database. The results?# parse $user_input $database="$user_input.db"; open(FILE "<$database");
It opened "rfp" (or would have, had it existed). What happened to the ".db"? As you probably know, Perl allows NULL characters in its variables as data. Unlike in C, NULL is not a string delimiter. But, the underlying system/kernel calls are programmed in C, which DOES recognize NULL as a delimiter. So the end result? Perl passes "rfp\0.db", but the underlying libs stop processing when they hit the first (our) NULL.
Im sure the brainpower of monks-combined (TM) could think of some nasty applications of this feature.
Update: I had intended to credit the author, RainForestPuppy, phrack mag 55-7. Sorry for the slip-up.
Tata
SMiTZ
Added update per user request - dvergin 2002-02-26
In Section
Seekers of Perl Wisdom