I was trying to show how easy it was to manipulate $0 because FindBin relies on it. In the "real world", no one uses FindBin just for curiosity, they use it to find related files. If I can fool FindBin, I can probably feed bogus data into the script by making it read my files instead of the owner's. Which could lead to a successful exploit. Which is why I was worried about FindBin in the first place.
I agree that exec(3) alone is insufficient to exploit $0.
I suppose that saying "there's plenty of reasons to taint" $0 is a bit imprecise. I agree that the challenge here is to point the filename to a different file but there are multiple attack vectors which might work (gaming the filesytem, a private, hacked, perl executable, doing "exec" without exec(3), etc). So, yes, one reason, but a number of ways to attack.
On reflection, my opinion is that tainting is insufficient and relying on $0 (and thus FindBin) for anything is likely to be insecure. Usually, people untaint by pattern matching for allowed characters and a usefully bogus $0 could probably slip through. I don't really have the time or desire to work out the attacks on FindBin when I can just hardwire my paths and be sure.
Just FYI, I used to wear a white hat but I've been out of the game for a number of years and my memory is not so great anymore, so I could easily be wrong about everything.
In reply to Re^9: Taint problems
by rowdog
in thread Taint problems
by gayathriAthreya
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |