Gossamer Forum: General: Perl Programming: Insecure dependency in taint mode

Dec 10, 2003, 6:27 AM

pedge

User (56 posts)

Dec 10, 2003, 6:27 AM

Post #1 of 18

Shortcut

Insecure dependency in taint mode

hey, i have a slight problem, i know whats wrong, however i dont know how to fix it.
i am trying to run a system command to run one script from another. the problem is with taint mode. if i dont include -T at the top of the script system doesnt run... (i think). if i do include it i get the following error:

[Wed Dec 10 14:07:57 2003] [error] [client 81.132.220.83] malformed header from script. Bad header=<pre>Insecure dependency in sy: /home/jxkobgnr/public_html/cgi-bin/sendtxt.cgi
[Wed Dec 10 14:07:57 2003] sendtxt.cgi: Insecure dependency in system while running with -T switch at /home/jxkobgnr/public_html/cgi-bin/sendtxt.cgi line 305.

Code:
   my $link = "/cgi-bin/cron/text.cgi?id=$row_id[0]&code=$code"; 
  delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)};  
  system "$link";

the problem is that $code is tainted. its a just an cgi param, and $row_id[0] is a database value.
so how can i get it to work?
thanks
Pedge

Dec 10, 2003, 6:40 AM

Andy

Veteran / Moderator (18441 posts)

Dec 10, 2003, 6:40 AM

Post #2 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

Why not just use something like;

Code:
my $command = qq|cgi-bin/cron/text.cgi?id=$row_id[0]&code=$code|; 
`$command`;

Cheers

Andy (mod)
andy@ultranerds.co.uk

Dec 10, 2003, 6:59 AM

pedge

User (56 posts)

Dec 10, 2003, 6:59 AM

Post #3 of 18

Shortcut

Re: [Andy] Insecure dependency in taint mode In reply to

nope - still the same error.
ps. should i keep the delete @ENV line in?

thanks
Pedge

Dec 10, 2003, 7:07 AM

Mark Badolato

Veteran (1509 posts)

Dec 10, 2003, 7:07 AM

Post #4 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

where do $row_id and $code come from?

Dec 10, 2003, 7:08 AM

pedge

User (56 posts)

Dec 10, 2003, 7:08 AM

Post #5 of 18

Shortcut

Re: [Mark Badolato] Insecure dependency in taint mode In reply to

my $code=$query->param('code');

my $id_statement = $dbh->prepare("SELECT * FROM textmsg WHERE id=LAST_INSERT_ID()");
$id_statement->execute();
my @row_id = $dbh->selectrow_array($id_statement);

Dec 10, 2003, 7:44 AM

Andy

Veteran / Moderator (18441 posts)

Dec 10, 2003, 7:44 AM

Post #6 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

I would be tenmpted to use something like this;

$id_statement->execute() || die $!;
my @row_id = $dbh->fetchrow_array($id_statement);

Doubt that has anything to do with your problem, but its worth a try :)

Cheers

Andy (mod)
andy@ultranerds.co.uk

Dec 10, 2003, 7:57 AM

pedge

User (56 posts)

Dec 10, 2003, 7:57 AM

Post #7 of 18

Shortcut

Re: [Andy] Insecure dependency in taint mode In reply to

no that didnt make a difference...
and that didnt work for me, but this did:

my @row_id = $id_statement->fetchrow_array;

Dec 10, 2003, 7:59 AM

Andy

Veteran / Moderator (18441 posts)

Dec 10, 2003, 7:59 AM

Post #8 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

Sorry, it should be;

my @row_id = $id_statement->fetchrow_array;

.... the part inside the () isn't needed, as $id_statement is passing the values back from that anyway :)

Cheers

Andy (mod)
andy@ultranerds.co.uk

Dec 10, 2003, 9:21 AM

Coombes

Novice (35 posts)

Dec 10, 2003, 9:21 AM

Post #9 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

The error occurs because you aren't taint checking your input. Taint checking can be a bit of a hassle, as is hunting down warnings but it is a necessary step in order to make your code secure.

So basically what you need to do is validate the tainted variable by using something like this:

Code:
$code =~ /^(some_safe_regex)$/ and code = $1;

That should fix the problem.

It's not to do with your SQL code as Andy pointed out Wink

Last edited by:

Coombes: Dec 10, 2003, 9:23 AM

Dec 10, 2003, 10:28 AM

pedge

User (56 posts)

Dec 10, 2003, 10:28 AM

Post #10 of 18

Shortcut

Re: [Coombes] Insecure dependency in taint mode In reply to

i'm sorry i'm a bit thick at this...
what's the exact code i have use?

Dec 10, 2003, 1:16 PM

Coombes

Novice (35 posts)

Dec 10, 2003, 1:16 PM

Post #11 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

What should $code contain?

Dec 10, 2003, 1:47 PM

Chaz

Enthusiast (819 posts)

Dec 10, 2003, 1:47 PM

Post #12 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

Hi pedge,

Check out the perlsec pod. The section on Laundering and Detecting Tainted Data has sample code that shows what you need to do to untaint your data.

From the POD:

Code:
    if ($data =~ /^([-\@\w.]+)$/) { 
	$data = $1; 			# $data now untainted 
    } else { 
	die "Bad data in $data"; 	# log this somewhere 
    }

That will make sure there is no funny stuff in the data.

~Charlie

Dec 10, 2003, 1:52 PM

pedge

User (56 posts)

Dec 10, 2003, 1:52 PM

Post #13 of 18

Shortcut

Re: [Coombes] Insecure dependency in taint mode In reply to

thats a string (6 charactors long) which is and then encrypted with md5_hex. then i save that to a database, and call it up from another script. its just a little bit of extra security i built into the script to stop people from skipping the first script and sending a text message. i think its 32 charactors if i remember right...
so thats the reason i dont know what to pattern search for.
thanks
Pedge

Dec 10, 2003, 2:24 PM

pedge

User (56 posts)

Dec 10, 2003, 2:24 PM

Post #14 of 18

Shortcut

Re: [Chaz] Insecure dependency in taint mode In reply to

thanks - well i no longer get an error.
however its not working... the system part... no error, just nothing... i would know if it was working because it would send a text message. is there any reason why it wouldnt be working with no error message?

Dec 10, 2003, 3:02 PM

Chaz

Enthusiast (819 posts)

Dec 10, 2003, 3:02 PM

Post #15 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

Check the return value of the system command to find out what happened. Read the POD on system though: http://www.perldoc.com/...pod/func/system.html specifically the paragraph on the return value of system.

Quote:

Return value of -1 indicates a failure to start the program (inspect $! for the reason).

~Charlie

Dec 10, 2003, 6:43 PM

Mark Badolato

Veteran (1509 posts)

Dec 10, 2003, 6:43 PM

Post #16 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

Quote:

my $code=$query->param('code');

There's your problem (or one of them). You're getting data from the user. You need to untain it. Right now you're taking that and using it in your system commad, which is VERY dangerous.

Read up on taint mode and learn how to untaint your data.

--mark

Dec 11, 2003, 6:39 AM

pedge

User (56 posts)

Dec 11, 2003, 6:39 AM

Post #17 of 18

Shortcut

Re: [Mark Badolato] Insecure dependency in taint mode In reply to

i have tried to - and i think its untainted, however it stil doesnt work. here is the entire section of code, maybe someone can see something i missed. (i have highlighed where $code appears)

thanks
Pedge

Code:
  my $contact_id=$query->param('contact_id'); 
 my $message=$query->param('message'); 
my $code=$query->param('code');

 if ($contact_id eq ""||length($message)>=151){ 
  print $query->header; 
  makeHTML1(); 
  print "text meesage too long<br>"; 
  print length($message)."<br>"; 
  print $message."<br>"; 
  makeHTML3(); 
 } 
 else{ 
  my $dbh = DBI->connect($server,$dbuser,$password)|| 
        die "Error Connecting to database: $DBI::errstr\n";    
  my $time; 
  $time = HTTP::Date::time2iso($time); 

  my $con_statement = $dbh->prepare("select * from contact where contact_id='$contact_id'"); 
  $con_statement->execute();   
  my @row_con = $dbh->selectrow_array($con_statement);   

  my $add = $dbh->prepare("INSERT INTO textmsg VALUES( 
    '','$member_id','$time','$row_con[6]','$message')"); 
  $add->execute();  

  my $id_statement = $dbh->prepare("SELECT * FROM textmsg WHERE id=LAST_INSERT_ID()"); 
  $id_statement->execute() || die $!;  
  my @row_id = $dbh->selectrow_array($id_statement);   

  delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)};  

if ($code =~ /^([-\@\w.]+)$/) {   
      $code = $1;    # $code now untainted     
      } else {   
      die "Bad data in $code"; 
      } 
      if ($row_id[0] =~ /^([-\@\w.]+)$/) { # added this just incase its needed 
      $row_id[0] = $1;    # $row_id[0] now untainted  
      } else {   
      die "Bad data in $row_id[0]";     
      } 

  my $link = qq|cron/text.cgi?id=$row_id[0]&code=$code|; 
  system "$link"; 
$dbh->disconnect or warn "Disconnection failed: $DBI::errstr\n";

Dec 11, 2003, 8:35 AM

pedge

User (56 posts)

Dec 11, 2003, 8:35 AM

Post #18 of 18

Shortcut

Re: [pedge] Insecure dependency in taint mode In reply to

hey guys, dont worry about it... its sorted now...
i gave up, and modified the script so now it saves the message in the database, and the second script is called by a cron job. much safer this way.