On Fri, Jun 17, 2005 at 09:36:09AM -0700, Dan S wrote:
> Hi Jefferson,
>
> Thank you for your reply, and an interesting point.
>
> I verified that an entry with backticks in the ipmon
> log file doesn't execute by echoing a line:
>
> 17/06/2005 09:16:42.519563 fxp0 @0:48 b 81.`touch
> /hi`.120.46,1364 -> 216.34.`touch /bye`.168,139 PR tcp
> len 20 48 -S 2163595220 0 65535 IN
>
> Just to make sure, I'll include the -T switch with the
> interpreter, and add a line:
>
> $line_orig =~ s/\`//g; just after it reads in the
> line.
Your taint check *should* fail on any direct use of line_orig after
this, and will on any fairly recent Perl.
To make it reasonably secure, you need to do a very tight
pattern-match of the input to only the known acceptable kinds of
values, and assign the results of the pattern match (i.e. the
pattern-matched substrings) to specific variables.
Matching (for instance) only numeric characters + periods for an IP
address, or only alpha-numeric characters + "-" and period for a domain
name, is good. Doing a match for any character except "`" is unsafe,
because you should always assume somebody will come up with something
that you didn't think of.
Attackers are already well aware of the exploit possibilities of
getting text with embedded shell commands into a log file which will
eventually be processed by some other utility.
-- Clifton
--
Clifton Royston -- [EMAIL PROTECTED]
Tiki Technologies Lead Programmer/Software Architect
"I'm gonna tell my son to grow up pretty as the grass is green
And whip-smart as the English Channel's wide..."
-- 'Whip-Smart', Liz Phair
