RE: Can System() of Perl be bypassed?

Use the multiple-argument version of the system call, and ensure that the program you're calling won't misbehave if weird input is provided:

system("/path/some-command", $user_data);

Passing $user_data and the command name in a single string (the single-argument form of system()) causes the shell to parse and interpret the data, which means shell metacharacters in the user's data will be interpreted.

Read through perlsec for this and other gotchas. Taint mode in Perl will help you avoid them, but don't rely exclusively on it. It will catch some stupid mistakes, but it isn't a cure for not knowing what you're doing.

Good luck,

David

-----Original Message-----
From: Sandeep Giri [mailto:sandeepgiri@indiatimes.com] Sent: Wednesday, 22 January, 2003 01:03
To: secprog@securityfocus.com
Subject: Can System() of Perl be bypassed?

Hi All,
In my PERL code,I am using user's input as command line argument for the program being executed by System().
Can user run command of his choice by giving malicious input? Is PERL's -T (Taint mode) the solution for this?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Thanks.

Sandeep Giri Received on Wed Jan 22 17:29:06 2003