On 06/20/2011 08:56 PM, Alan Buxey wrote: > got this error: > > Insecure dependency in eval while running setuid at > /usr/local/lib/perl5/site_perl/5.12.2/Radius/Configurable.pm line 73 > > checked that Configurable.pm file and it appears to be doing a nice > eval on the $_[2] parameter - this could be used by a cracker if its > not checked/sanitized....
Seems to be the part where the config parser processes Hooks. $_[2] is the value for the currently processed *Hook keyword. > now, its not compltely clear where this unchecked string is coming from > so therefore still not sure if this could ever be a 'safe value' that couldnt > be corrupted by someone wanting to get extra access or mess around.. > however, currently sidestepped by defining a local variable to $_[2] > and using that in the call on line 73 .... is there a cleaner/safer > way to operate this - I dont recall this being around in 4.7 The code for Configurable.pm seems to be identical for the two versions so maybe perl is now more strict with these. I added a note for this to things to check for the next version. Thanks! -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
