NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secure Programming> 2004-q2

RE: Perl code security (CGI related)

From: Michael Silk (silkmhushmail.com)
Date: Mon Apr 05 2004 - 17:42:05 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rick,

  All you need to do is figure out how to execute a shell
  command in perl code ... i imagine its something like:
  ---------------
  system("ls");
  ---------------

  So you would modify the value of "$default" such that it
  this:
  ---------------
  eval $code;
  ---------------

  looks like this, at runtime:
  ---------------
  eval "system(\"ls\");";
  ---------------

Hope thats clear ....

-- Michael

-----Original Message-----
From: Rick Zhong [mailto:isc00801nus.edu.sg]
Sent: Monday, 5 April 2004 10:08 PM
To: secprogsecurityfocus.com
Subject: Perl code security (CGI related)

hi,
I was looking at this vulnerable cgi-code. i have tidy it a bit

====================================================
my $code = 'require '. "\"$default/" .$area. '.pm"; $lang ='. $area.
'->new();';

eval $code;
====================================================

The $default is under user's control. My question is whether perl's eval
function allow execution of command such as "rm -rf *". Any execution
restriction of "eval"? I have tried on my perl v5.8. It seems the "eval
$code" can successfully change the behaviour of variables in the programs.
However it does not have any effect if $code is shell command such as
"rm -rf *"...

The cgi program is running on apache 2.0 running under user apache. Let
me
know if you need any details of my questions. It will be very helpful
if
you can give any demo code etc.

regards,
Rick

==========================================
Welcome to www.sinfosec.org
SINgapore <In>FOSECurity Interest Group

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]