| Subject: | eval security exploit |
This module eval's timezones with out validating their format.
As a result, if a unvalidated timezone is passed to this function,
arbitrary perl code could be executed.
Since it is reasonable to expect that Timezones would be
sent by (for example), a cgi script, many places this module would be
used, unvalidated timezones could be passed in by untrusted users.
Particularly bad, the "is_valid_name" class method has the same
lack of validation, and yet it's whole purpose is to detect bad
timezones.
The problem is in TimeZone.pm:new at the line:
eval "require $real_class";
Adding this line before the require will fix the
insertion bug:
die "The timezone '$p{name}' in an invalid name.\n" unless ($real_class =~ /^\w+(::\w+)*$/);
Included is a small perl script that shows how this could be exploited,
and a small one-line fix.
Thank you very much.
**** Example code which executes "hostname" command. *****
#!/usr/bin/perl
use DateTime::TimeZone;
my $command = "hostname";
my $timezone = "America/Los_Angeles;system('$command')";
# Executes $command
$a = new DateTime::TimeZone( name => $timezone);
# Executes $command
$b = DateTime::TimeZone->is_valid_name($timezone);
***** Patch against version 0.36 *******
*** TimeZone.pm Mon Aug 8 18:00:59 2005
--- TimeZone.pm Mon Aug 8 17:59:25 2005
***************
*** 65,70 ****
--- 65,72 ----
$subclass =~ s{/}{::}g;
my $real_class = "DateTime::TimeZone::$subclass";
+ die "The timezone '$p{name}' in an invalid name.\n" unless ($real_class =~ /^\w+(::\w+)*$/);
+
unless ( $real_class->can('instance') )
{
eval "require $real_class";