Hoo boy. Watch out. You've used param() in both a scalar and a list context. In your security test, you look for things of interest, but in a scalar context, which means you are testing the first param value for trace if multiple values are defined. But then, you suck down all the param-values for trace when you fire off the traceroute. Guess what? You are now passing untested data to traceroute!... if ( param('trace') and param('trace') =~ /^[-.0-9a-zA-Z]+$/ ) { print p( "Hello There- I am writing this from " . "scratch so please be patient. Thanks!" ), "<pre>"; system( "/usr/sbin/traceroute", param('trace') ); ...
And given that there were some buffer overflow problems with traceroute if I recall my BUGTRAQ listings, giving root access to local users, you've just handed the keys to the kingdom to all-comers. Whee!
Security - it's not just for breakfast any more.
-- Randal L. Schwartz, Perl hacker
In reply to Possible Security Hole (was RE: Re: CGI and Traceroute)
by merlyn
in thread CGI and Traceroute
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |