possible security hole
Florian Weimer
Florian.Weimer@RUS.Uni-Stuttgart.DE
05 Dec 2000 13:31:28 +0100
Werner Koch <wk@gnupg.org> writes:
> On Mon, 4 Dec 2000, Derek Vokey wrote:
>
> > "echo $sensitiveinfo|gpg --homedir /my/home/dir --always-trust -ear me|mail
> > to\@me.com"
>
> I don't know PHP, but I assume that you are using something like
> system(3) to this job. The problem is that you might be able to
> trick the shell in doing evil thing by having shell code in
> $seinsitiveinfo.
>
> Some possible solutions:
>
> * sanitize $sensitiveinfo by removing all characters except for
> digits, underscore, space and letters :-)
If you do this, other (non-privileged) users on the same machine are
able to retrieve $sensitiveinfo by examining the environment of the
shell process.
--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org