|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: b0iler (b0iler_at_eyeonsecurity.net)
Date: Wed Jul 17 2002 - 22:03:29 CDT
Hi. I tried to reach people at OWASP 3 different times, sending email to 3
different people. I have got no responce. I sent this months ago, but it is
still valid. Purhaps someone here can help me out, or a OWASP member will
read it.
----I was very confused when you went over the perl functions which can possibly call shell commands. Is there any way you can better explain a few?
Perl open() (the #1) sysopen() glob() system() '' (backticks) eval()
I know open(), but how can sysopen() be used to call a shell? If you cane xplain this in as great detail as possible.
glob() from my understanding is fairly harmless. AFAIK it cannot call commands, just does "globbing" (completing queries with * ? [0-9] etc..). Unless I am missing a way inwhich it can be used it should always require another function to actually issue the commands. Explain this one from scratch if possible.
You list eval() on the list, but forget the /e modifier on reg ex which eval's it. You did this for php, but not perl.
Also forgot exec() and qx//
Now I was going to check on dbmopen() for command execution. It uses the DB_File.pm file. I got an error when trying an example right out of the camel:
Use of uninitialized value in subroutine entry at /usr/lib/perl5/5.6.1/i586-linux/DB_File.pm line 262. Use of uninitialized value in subroutine entry at /usr/lib/perl5/5.6.1/i586-linux/DB_File.pm line 262.
I tried this on a friends box (mine is suse 7.3, his is mandrake) and I got the same error. Line 262 makes a call to DoTie(), but there was no DoTie* in any of my perl modules, and I could not find any other subroutines they were trying to call (incase it was just a mistake/typo). If you happen to know, what to find out.. is there any command execution possible with dbmopen?
I am very interested in perl security and general web application security. I was very happy when OWASP started, please keep up the good work. Quality over quantity.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]