Date: Mon, 13 Jun 2011 10:57:36 -0400 From: Mark Stosberg <mark@...mersault.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Damyan Ivanov <dmn@...ian.org>, 629511@...s.debian.org, Iain Arnell <iarnell@...il.com>, Marcela Maslanova <mmaslano@...hat.com> Subject: Re: CVE Request -- Data-FormValidator -- Reports invalid field as valid when untaint_all_constraints used On 06/12/2011 10:49 AM, Jan Lieskovsky wrote: > Hello, Josh, Steve, vendors, > > It was found that perl-Data-FormValidator, a HTML form user input > validator, used to treat certain invalid fields as valid, when the > untaint_all_constraints directive was used (default for majority of > Data-FormValidator routines). A remote attacker could use this flaw to > bypass perl Taint mode protection mechanism via specially-crafted input > provided to the HTML form. > > Note: Hopefully Damyan, Mark can clarify here, if valid data from > Data-FormValidator are automatically marked as untainted for > perl Taint mode or not. If there still is perl Taint mode > protection check present, even on valid Data-FormValidator > data and it couldn't happen, that tainted data would be passed > further to the script processing, then this is not a security > issue. I maintain DFV and have looked at this now. The issue was limited to fields whose constraints were defined as regular expressions. To trigger it, it was also required that a unrelated Regex match before the particular field validation happened was successful. In that case, a value could be marked as "valid" when it was invalid, and would also be untainted. I've reviewed a test and fix for this now and am ready to release it. If there is a CVE number about to be assigned, I can wait for that. Thanks for bringing this to my attention. Mark
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ