setgid error

[Ryan]

hello all, thanks in advance for any help given. when i run this script, an error comes up: "Insecure dependency in open while running setgid at cpptrak.pl line 27."


#!/usr/local/bin/perl -wT

use CGI ':standard';
use strict;
require TripodCGI;
require 'sub.lib';

($n, $sec, $url, $c);

if ($ENV{'REQUEST_METHOD'} eq 'POST'){

my $CGI = new CGI;

$n = $CGI->param('fn');

}

$sec=2;
$url= '../' . $n . '.zip';

open (RF, "<$n.txt") || Error ('open', 'file');

$c = <RF>;

close(RF);

open (WF, ">$n.txt") || Error ('open','file'); ##LINE 27##

mime();
print WF "$c";

close(WF);

mime();
refresh($sec, $url);
print "$n.exe should begin downloading. If not, click <a href='$url'>here</a>.<br><br><br><br><a href='progs.html'>Click here</a> to return to the programs page.";

[jeffmott]

The problem here is because the value of $n is dependant on user input. On line 27 you are writing to a file with no real idea of what that file could be. For example a malicious user can use slashes to form a path causing the file to be written to even a different directory than you had planned on. You will first have to assure that $n will not contain any unwanted input and then clear its taintedness.

A good way to prevent "bad characters" from appearing and still allow the user to type in a full range of characters is to convert the value of $n to a hex string. The character values are retained but the string will only contain the characters 0-9 and a-f.

$n = unpack('H*', $n);

Now that we know it is safe, we need to untaint $n so that Perl will allow it through. The only way to bypass the tainting mechanism is by referencing subpatterns from a regular expression match. Perl presumes that if you reference a substring using $1, $2, etc., that you knew what you were doing when you wrote the pattern.

$n =~ m/^(.*)$/s;
$n = $1;

Or you could use a regular expression match to only allow certain characters through.

$n =~ m/^([a-zA-Z0-9_]+)/;
$n = $1;

See Perl Security for more details.

It also appears as if you are missing your my() declaration on line 8.

[Ryan]

"Unable to create sub named "*Member::Error" at cpptrak.pl line 24."



#!/usr/local/bin/perl -wT

use CGI ':standard';
use strict;
require TripodCGI;
require 'sub.lib';

my ($n, $sec, $url, $c);

if ($ENV{'REQUEST_METHOD'} eq 'POST'){

my $CGI = new CGI;

$n = $CGI->param('fn');
}

$n = unpack('H*', $n);
$n =~ m/^([a-zA-Z0-9_]+)/;
$n = $1;

$sec=2;
$url= '../' . $n . '.zip';

open (rf, "<$n.txt") || Error ('open', 'file'); ##LINE 24##

$c = <rf>;

close(rf);

open (wf, ">$n.txt") || Error ('open','file');

mime();
print wf "$c";

close(wf);

mime();
refresh($sec, $url);

print "$n.exe should begin downloading. If not, click <a href='$url'>here</a>.<br><br><br><br><a href='progs.html'>Click here</a> to return to the programs page.";

[jeffmott]

Where is Error() defined?

[Ryan]

actually, i didn't define it...

but when i did, it screwed up, so that's sort of a moot point.