Safe open() with taint mode not working?

Elijah has asked for the wisdom of the Perl Monks concerning the following question:

I have written a cgi filter script for the new phpBB exploit and have in the past had the script email the site admin that an attack attempt has happened. Now that the manual attempts at exploits have all but stopped and now that the worm is hitting sites sometimes thousands of times a day, I have decided to have the script extract the domain name from the encoded hex/unicode exploit string and grab the admin email from whois (if it exists) and email the admin and notify them their site is infected.

Now with that said I of course am using taint mode so in order to pass data to an open() call I am piping to "-" and trying to temporarily printing the output of the whois command to a cgi generated webpage just to verify the data is there before I extract the email address. However the return value of my filehandle is null and I can not see any reason why it would be this way. I have taken this example and put it in a test command line script and it executes like it is suppose to.

Here is the section of code:

if ($domain) {
   open(LKUP, "-|") || exec("ls"); #exec("whois", $domain);
   print while <LKUP>;
}
[download]

As you can see I have commented out the real exec() call I want to run and simply am trying to get the output to list the contents of the current dir. I get nothing printed from the print statement however.

www.perlskripts.com

Comment on Safe open() with taint mode not working? Download Code

Replies are listed 'Best First'.
Re: Safe open() with taint mode not working? by dave_the_m (Monsignor) on Jan 14, 2005 at 18:59 UTC
You describe 3 cases: your original code, your posted test snippet (with ls), and the test snippet with ls replaced by exec. From your description, it's not clear to me which of the three are failing for you. The last two both work for me (at least if I set $domain to something). Dave.	[reply]
Re^2: Safe open() with taint mode not working? by Elijah (Hermit) on Jan 14, 2005 at 20:00 UTC
My explanation may have been a little unclear but I do not see where you get the three different instances from. Basically I am using the above code in a cgi script and the filehandle <LKUP> never has a value. When I run this from command line it executes as it should as I said in my first post but when I run it inside my cgi script and try to print this data to the web page the filehandle is null. www.perlskripts.com	[reply]
Re^3: Safe open() with taint mode not working? by dave_the_m (Monsignor) on Jan 14, 2005 at 22:29 UTC
Ah I see. The thing to do is to add debugging warns everywhere around that code (eg `warn "in child, about to exec...\n"`, and see what makes it into the web server's error log. Also, you should check for open() returning an undef value, and you should check for exec failing - in both cases, printing out $! to STDERR. Dave.	[reply] [d/l]