Home > Archive > PERL CGI Beginners > December 2005 > Taint mode question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Taint mode question
|
|
| Hotpop Com 2005-12-09, 7:55 am |
| Setup: Perl 5.8, WinXP
I have created the code below to test Taint mode. The testapp.exe
program is actually the standard windows "attrib.exe" but renamed and
placed in my CWD. The program as it is below works as expected, however if swap the comments on the two $ENV{'PATH'} lines it no longer works and reports an insecure $ENV{PATH}.
I can't understand why I need to have the windows system32 folder
included in my $ENV{PATH} for the prog to run.
If in a DOS window I reset my OS environment var PATH to simply '.'
(the CWD) the testapp.exe will run as normal in the DOS window, so why
is resetting my $ENV{PATH} to the CWD different?
Thanks
----
#!c:/perl/bin/perl.exe -wT
use strict;
use diagnostics;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
use Cwd;
my $dir = getcwd();
my $q = new CGI;
print $q->header,
$q->start_html(-title => "External program"),
$q->h2("External command test");
#$ENV{'PATH'} = $dir;
$ENV{'PATH'} = ("C:\\WINDOWS\\system32");
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
my @prog1 = ("testapp.exe", "+R", "dummy.txt", "/S");
my $exit_status1 = system(@prog1);
print $q->p("My CWD is $dir"),
$q->p("My 'PATH' is $ENV{'PATH'}"),
$q->p("Exit status1: $exit_status1"),
$q->end_html;
| |
| Zentara 2005-12-12, 6:55 pm |
| On Fri, 9 Dec 2005 05:04:48 -0500 (EST),
pcbcad@hotpop.com@pop.hotpop.com (Hotpop Com) wrote:
>Setup: Perl 5.8, WinXP
I don't use Windows, but I'll try to answer. :-)
>I have created the code below to test Taint mode. The testapp.exe
>program is actually the standard windows "attrib.exe" but renamed and
>placed in my CWD. The program as it is below works as expected, however if swap the comments on the two $ENV{'PATH'} lines it no longer works and reports an insecure $ENV{PATH}.
> #$ENV{'PATH'} = $dir;
> $ENV{'PATH'} = ("C:\\WINDOWS\\system32");
> delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
>I can't understand why I need to have the windows system32 folder
>included in my $ENV{PATH} for the prog to run.
Because Taint mode requires "exactness", for lack of a better term.
If you leave the $path as $dir, $dir could lead anywhere( like a
tempdir) where a fake executable is stashed. The whole
purpose of 'taint mode' is to ensure that your script will execute
exactly as you planned it. That precludes someone from uploading
a file named testapp.exe to '.', and letting your cgi run it.
>
>If in a DOS window I reset my OS environment var PATH to simply '.'
>(the CWD) the testapp.exe will run as normal in the DOS window, so why
>is resetting my $ENV{PATH} to the CWD different?
Because running your script in a dos window, is not "open to the world",
like it is when running thru cgi. Running a program at the
"commandline", is different from running it thru a "server". The server
sets up a special environment to safely execute the scripts.
There are people out there, who look to see what version of server and
software your web site uses, find vulnerabilities, and try to exploit
them. If a vulnerability is found, they could upload a file named
testapp.exe, which forks and sends emails out from YOU!
Now for the "dos-window" execution of the script to become
"comprimised", it would mean that someone with local access(or ssh) to
your computer would have to do it. That's a smaller number of people
to worry about. :-)
So taint mode isn't perfect, but it is a big step toward protecting your
cgi programs.
--
I'm not really a human, but I play one on earth.
http://zentara.net/japh.html
| |
| evillen@gmail.com 2005-12-13, 6:56 pm |
| Hi Zentara
Thanks for the reply, that made sense and I (pcbcad) better understand
Taint now. I now can't solve my priority problem and I am fairly sure
it's related.
With the following code the first @prog now runs OK, however the second
@prog2 - the one I'm interested in - fails with an exit status of
65280, and an apache log error of:
_START_
[Tue Dec 13 17:23:06 2005] [error] [client 127.0.0.1] [Tue Dec 13
17:23:06 2005] 1312c.cgi: Can't spawn "extracta.exe": No error at
C:/Documents and Settings/User/My Documents/My
Website/tests_f/1312c.cgi line 23.
_END_
I believe this may have something to do with extracta.exe dependent
files being outside of my $ENV{PATH}, although I am not certain it has
any dependents. I have also tried this program without the -T switch
and get the same error. Do you have any ideas?
Many thanks
Len
Revised Taint test code follows:
-----
#!c:/perl/bin/perl.exe -wT
use strict;
use diagnostics;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
use Cwd;
my $q = new CGI;
print $q->header,
$q->start_html(-title => "External program"),
$q->h2("External command test");
$ENV{'PATH'} = ("C:\\dump");
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
my @prog = ("test_icicles.bat");
my @prog2 = ("extracta.exe", "temp.brd", "status_detail.cmd",
"extract_output.txt");
my $exit_status = system(@prog);
my $exit_status2 = system(@prog2);
print $q->p("My 'PATH' is $ENV{'PATH'}"),
$q->p("Exit status: $exit_status"),
$q->p("Exit status2: $exit_status2"),
$q->end_html;
|
|
|
|
|