Thank you for the comments. At this time, I'm applying
issues mentioned in perlsec to the script, along with
an improvement on the regexp and instructions.
Also, these emails inspire a test script to run as a
basic security check.
Thank you all...
Regards,
Dan
--- Clifton Royston <[EMAIL PROTECTED]>
wrote:
> On Fri, Jun 17, 2005 at 09:36:09AM -0700, Dan S
> wrote:
> > Hi Jefferson,
> >
> > Thank you for your reply, and an interesting
> point.
> >
> > I verified that an entry with backticks in the
> ipmon
> > log file doesn't execute by echoing a line:
> >
> > 17/06/2005 09:16:42.519563 fxp0 @0:48 b 81.`touch
> > /hi`.120.46,1364 -> 216.34.`touch /bye`.168,139 PR
> tcp
> > len 20 48 -S 2163595220 0 65535 IN
> >
> > Just to make sure, I'll include the -T switch with
> the
> > interpreter, and add a line:
> >
> > $line_orig =~ s/\`//g; just after it reads in the
> > line.
>
> Your taint check *should* fail on any direct use
> of line_orig after
> this, and will on any fairly recent Perl.
>
> To make it reasonably secure, you need to do a
> very tight
> pattern-match of the input to only the known
> acceptable kinds of
> values, and assign the results of the pattern match
> (i.e. the
> pattern-matched substrings) to specific variables.
>
> Matching (for instance) only numeric characters +
> periods for an IP
> address, or only alpha-numeric characters + "-" and
> period for a domain
> name, is good. Doing a match for any character
> except "`" is unsafe,
> because you should always assume somebody will come
> up with something
> that you didn't think of.
>
> Attackers are already well aware of the exploit
> possibilities of
> getting text with embedded shell commands into a log
> file which will
> eventually be processed by some other utility.
>
> -- Clifton
>
> --
> Clifton Royston --
> [EMAIL PROTECTED]
> Tiki Technologies Lead Programmer/Software
> Architect
> "I'm gonna tell my son to grow up pretty as the
> grass is green
> And whip-smart as the English Channel's wide..."
> --
> 'Whip-Smart', Liz Phair
>
__________________________________
Yahoo! Mail Mobile
Take Yahoo! Mail with you! Check email on your mobile phone.
http://mobile.yahoo.com/learn/mail
