New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Perl 5.8.8 (Tainting) vulnerable to CWE-732 attacks #9632
Comments
From adamk@cpan.orgCreated by adamk@cpan.orgCWE-732 is the Common Weakness Enumeration identifier for the class of security bugs where a program does not validate the providence of critical files before loading them. That is, a program does not check if a critical file MIGHT have been written to by an untrusted actor. This weakness was included in the SANS institute Top 25 security bugs list. A full description of CWE-732 is available at the following URL. http://cwe.mitre.org/data/definitions/732.html The perl 'require' function appears to be vulnerable to exploits based on CWE-732, suggesting this may be a pervasive weakness in the perl executable. Worse, perl's tainting implementation does not seem to protect against these exploits. For example, create a file foo.pm that contains. print "Vulnerable to CWE-732\n"; Next, chmod the foo.pm file to have world-writable permissions.
Next, create foo.pl that contains. require './foo.pm'; Finally, execute foo.pl with.
It's debatable whether or not this should be specifically protected against by -T or if some other action should be needed, I leave discussion of the specifics to P5P. I also apologise that I only have a 5.8.8 to validate this again, my 5.10 install is only on Windows, where a validation is not as simple as on unix. Adam K Perl Info
|
From @craigberryOn Tue, Jan 20, 2009 at 7:30 AM, adamk@cpan.org (via RT)
I assume you mean provenance, not providence, though divine intention
Note that most of the recommended mitigating actions are upstream from
Er, how do you do that in a properly installed Perl without
I don't see how checking for world write access could possibly meet Possibly some sort of digital signature validation at run-time could |
The RT System itself - Status changed from 'new' to 'open' |
From @nwc10On Wed, Jan 21, 2009 at 11:21:09AM -0600, Craig A. Berry wrote:
They can't necessarily remove the world write bit. They need to own the file The problem it guards against is any user running code that happens to require You're right that it can't detect the case where the "unknown actor" had Nicholas Clark |
From @AbigailOn Wed, Jan 21, 2009 at 11:21:09AM -0600, Craig A. Berry wrote:
I wonder whether -T should even check for this. It isn't that the Furthermore, if -T were to be changed that it disallows executing code Abigail |
From @moritzadamk@cpan.org (via RT) wrote:
In a similar setting, openssh protects stupid users with too permissive Whether we want something similar for module loading is basically a Cheers, |
From @gisleOn Jan 21, 2009, at 18:30 , Nicholas Clark wrote:
So, potentially we could change the definition of 'do' under -T so that: - do $file: - require implemented in terms of do Seems insanely expensive to me and something that would break lots of --Gisle
|
From @demerphq2009/1/21 Gisle Aas <gisle@activestate.com>:
If we do this I dont think we should do it via -T i think we should do --i-am-amazingly-paranoid-so-i-want-you-to-distrust-world-writable-source-files would probably do fine. Perhaps we could support --iaapsiwytdwwsf as a cheers, -- |
Migrated from rt.perl.org#62526 (status was 'open')
Searchable as RT62526$
The text was updated successfully, but these errors were encountered: