[Techtalk] Perl Sockets Communication
almut_behrens at yahoo.com
Thu Aug 23 09:17:47 EST 2001
On Wed, Aug 22, 2001 at 07:38:21PM -0700, Kai MacTane wrote:
> ... They say with enough eyes, all bugs
> are shallow -- I think that bug just needed some eyes that weren't already
Just a final note on security. There's a specific combination of things
that should *always* ring all bells, security-wise:
(1) a program running as root, in particular daemons
(2) unchecked user input, in particular from webforms
(3) use of the backtick operator `` or system() in perl scripts
The short form of this should be engraved in every sysadmin's mind:
"root + unchecked input + ``/system() IS BAD"
If you really can't avoid this, additional checks are required.
In your case, the crucial command is the line
unless (`grep ^$username\: /etc/passwd`)
and the fact that $username is essentially unfiltered input from the
webform. If someone decides to use a "username" like
'x /dev/null ; cd / ; rm -rf * ;'
you would be in real trouble. The problem is not necessarily the grep
program, but the fact that it is run in a subshell, as root!
Hundreds of other malicious command sequences are conceivable, like
installing backdoors, and whatever else... The command string can
easily be completed in such a way that it wouldn't even cause an error
message. Essentially, you are giving an anonymous user a rootshell on
your system -- every script kiddie would get sparkling eyes.
Always filter user input for potentially dangerous metacharacters if
you need to use the input in some subshell-invoking command. However,
it's not as trivial to get this right as it might seem at first.
In your particular case, it would probably be easier to implement the
grepping yourself, in perl (which is trivial).
Also, see the perl docs for the difference between the two forms
system "cmd arg1 arg2 ..."; # uses subshell to run cmd
system cmd, arg1, arg2, ...; # doesn't use subshell to run cmd
(the latter circumvents some of the problems with the first form)
And, make use of the taint-checking facility (-T) offered by perl.
I'm sure you just removed those checks for brevity of the script
posted... ;)) Anyway, I just wanted to let you know -- before someone
else does it the hard way...
More information about the Techtalk