Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Jun 2011 10:57:36 -0400
From: Mark Stosberg <mark@...mersault.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>, 
 "Steven M. Christey" <coley@...us.mitre.org>,
 Damyan Ivanov <dmn@...ian.org>, 629511@...s.debian.org, 
 Iain Arnell <iarnell@...il.com>,
 Marcela Maslanova <mmaslano@...hat.com>
Subject: Re: CVE Request -- Data-FormValidator -- Reports invalid field as
 valid when untaint_all_constraints used

On 06/12/2011 10:49 AM, Jan Lieskovsky wrote:
> Hello, Josh, Steve, vendors,
> 
>   It was found that perl-Data-FormValidator, a HTML form user input
> validator, used to treat certain invalid fields as valid, when the
> untaint_all_constraints directive was used (default for majority of
> Data-FormValidator routines). A remote attacker could use this flaw to
> bypass perl Taint mode protection mechanism via specially-crafted input
> provided to the HTML form.
> 
> Note: Hopefully Damyan, Mark can clarify here, if valid data from
>       Data-FormValidator are automatically marked as untainted for
>       perl Taint mode or not. If there still is perl Taint mode
>       protection check present, even on valid Data-FormValidator
>       data and it couldn't happen, that tainted data would be passed
>       further to the script processing, then this is not a security
>       issue.

I maintain DFV and have looked at this now. The issue was limited to
fields whose constraints were defined as regular expressions. To trigger
it, it was also required that a unrelated Regex match before the
particular field validation happened was successful. In that case, a
value could be marked as "valid" when it was invalid, and would also be
untainted.

I've reviewed a test and fix for this now and am ready to release it. If
there is a CVE number about to be assigned, I can wait for that.

Thanks for bringing this to my attention.

   Mark

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ