This queue is for tickets about the Net-Ping-External CPAN distribution.

Report information
The Basics
Id:
33230
Status:
new
Priority:
Low/Low

People
Owner:
Nobody in particular
Requestors:
jschauma [...] netmeister.org
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: shell exploit and resolv error
Date: Wed, 13 Feb 2008 12:01:23 -0800
To: bug-Net-Ping-External@rt.cpan.org
From: Jan Schaumann <jschauma@netmeister.org>
Hello, It looks like Net::Ping::External allows for shell exploits if passed invalid hostnames. my $alive = ping(host => "something>file"); This will create (or truncate) a file 'file' (if permissions on the cwd or file allow it). This is due to unchecked argument passing to backticks in External.pm my $result = `$command`; This should either check the given arguments and escape or not allow shell characters, or use system instead of backticks with a list. -Jan -- ``Life is too short to stay entirely sober.'' -- Chuck Swiger

Message body not shown because it is not plain text.



This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.