syatem command and dummy fields

Fairlight fairlite at fairlite.com
Mon May 19 04:55:45 PDT 2008


Y'all catch dis heeyah?  Walter Vaughan been jivin' 'bout like:
> Also be aware that fields 7 and 8 are now vectors that can get you in
> trouble.  If someone puts "; evil_command; " in one of those fields, they
> have full access to whatever filepro has as well. Delete, change records,
> logs, etc... at will
>
> You might want to strip those fields of semicolons for auditing purposes.

Walter, you do enough web design that I'd have expected you to know that
semicolons aren't the only thing that can get you in trouble.

In fact, pipes are another huge vector.  And pipes work on both *nix and
Windows...a fact that proved the big common arbitrary code execution
exploit in fPCGI 1.0 before I managed to convince them to close it.
Doesn't even matter if another part of the line errors--if the malicious
part is executed, you're screwed.

Then there are grave quotes, which can also come anywhere within the
command on *nix, and also allow for easy injection.

In general, -all- shell metacharacters should be stripped from
user-supplied segments of anything that will ever touch a command
interpreter.  Actually, if your architecture requires user-supplied data on
the command line, the architecture should be better designed, as a general
rule of thumb.

mark->
-- 
"Moral cowardice will surely be written as the cause on the death
certificate of what used to be Western Civilization." --James P. Hogan


More information about the Filepro-list mailing list