perl open() injection prevention

perl security protection code-injection
Random User picture Random User · Oct 28, 2014 · Viewed 9.3k times · Source

I have read that the open() command with 2 arguments is vulnerable to injection whereas the open() command with 3 arguments isn't inject-able.

SAy I have a directory where all my files have a common prefix, i.e "file-" so an example filename would be, file-SomeSourceCode.txt

How would something like open(FILEHANDLE, "some/random/dir/file-" . $fileextension) be vulnerable?

where $fileextension could be any sort of 'filename' per say. As far as I understand, this would not be vulnerable to a filename like | shutdown -r | which would execute the command to the server.

Answer

ikegami picture ikegami · Oct 28, 2014 
open(my $fh, "some/random/dir/file-" . $user_text)

is completely vulnerable. Not only does the improper injection make it impossible to open a file named 

some/random/dir/file-foo|

it can be used to execute arbitrary commands

$ perl -e'open(my $fh, "file-".$ARGV[0])' ' ; echo 0wned >&2 |'
sh: 1: file-: not found
0wned

Related questions

nrpe unable to run custom perl script: Return Code: 1, Output: NRPE: Unable to read output

I'm trying to implement a custom perl nagios script to check for rogue dhcp servers remotely with nrpe. On the central server when i run: /usr/local/nagios/libexec/check_nrpe -H 10.9.0.25 -c check_roguedhcp In my debugging logs i'm …

Read More
Find size of an array in Perl

I seem to have come across several different ways to find the size of an array. What is the difference between these three methods? my @arr = (2); print scalar @arr; # First way to print array size print $#arr; # Second way to …

Read More
How do I break out of a loop in Perl?

I'm trying to use a break statement in a for loop, but since I'm also using strict subs in my Perl code, I'm getting an error saying: Bareword "break" not allowed while "strict subs" in use at ./final.pl line 154. …

Read More