|
List Info Thread: printf should check taintedness of its template
[1-2]
|
||||||||||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||||||||||
printf should check taintedness of its template |
|
List Info Thread: printf should check taintedness of its template
[1-2]
|
||||||||||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||||||||||
mikero.com,
generated with the help of perlbug 1.35 running under perl
v5.8.8.
------------------------------------------------------------
-----
[Please enter your report here]
printf and sprintf are vulnerable to injection attacks.
Using
the %n printf template syntax, an attacker can modify any
variables that were used as arguments to sprintf.
As such, printf's template argument should be checked for
taintedness,
but it isn't.
The following code uses the sprintf vulnerability to modify
the value of $bar:
perl -lTe 'printf "$ARGV[0]n", $foo, $bar;
print $bar' "%d %n"
[Please do not change anything below this line]
------------------------------------------------------------
-----
---
Flags:
category=core
severity=high
---
Site configuration information for perl v5.8.8:
Configured by Debian Project at Wed Dec 6 23:17:41 UTC
2006.
Summary of my perl5 (revision 5 version 8 subversion 8)
configuration:
Platform:
osname=linux, osvers=2.6.18.3,
archname=i486-linux-gnu-thread-multi
uname='linux saens 2.6.18.3 #1 smp sat nov 25 13:39:52
est 2006 i686
gnulinux '
config_args='-Dusethreads -Duselargefiles
-Dccflags=-DDEBIAN
-Dcccdlflags=-fPIC -Darchname=i486-linux-gnu
-Dprefix=/usr
-Dprivlib=/usr/share/perl/5.8
-Darchlib=/usr/lib/perl/5.8
-Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5
-Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local
-Dsitelib=/usr/local/share/perl/5.8.8
-Dsitearch=/usr/local/lib/perl/5.8.8
-Dman1dir=/usr/share/man/man1
-Dman3dir=/usr/share/man/man3
-Dsiteman1dir=/usr/local/man/man1
-Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1
-Dman3ext=3perl
-Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio
-Uusenm
-Duseshrplib -Dlibperl=libperl.so.5.8.8 -Dd_dosuid
-des'
hint=recommended, useposix=true, d_sigaction=define
usethreads=define use5005threads=undef
useithreads=define
usemultiplicity=define
useperlio=define d_sfio=undef uselargefiles=define
usesocks=undef
use64bitint=undef use64bitall=undef uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE
-DTHREADS_HAVE_PIDS
-DDEBIAN -fno-strict-aliasing -pipe
-I/usr/local/include
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-O2',
cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS
-DDEBIAN
-fno-strict-aliasing -pipe -I/usr/local/include'
ccversion='', gccversion='4.1.2 20061115 (prerelease)
(Debian
4.1.1-20)', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8,
byteorder=1234
d_longlong=define, longlongsize=8, d_longdbl=define,
longdblsize=12
ivtype='long', ivsize=4, nvtype='double', nvsize=8,
Off_t='off_t',
lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib
libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc
-lcrypt
perllibs=-ldl -lm -lpthread -lc -lcrypt
libc=/lib/libc-2.3.6.so, so=so, useshrplib=true,
libperl=libperl.so.5.8.8
gnulibc_version='2.3.6'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef,
ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared
-L/usr/local/lib'
Locally applied patches: