top | item 13891746

(no title)

It's weird that over the course of 7 hours no one on a site called Hacker News noticed that send_email.cpp passes unsanitized user-supplied args to system(). I've spent less than 5 minutes looking at this code, so maybe that's the worst of it. But if 5 minutes of investigation found 1980's style bugs I doubt that's the worst of it.

discuss

xapata|9 years ago

I haven't read the code, but regarding unsanitized user input... Isn't the user the, well, user, in this case?

Complaining about bad data in that situation is like complaining that an admin could hit the power switch.

Or maybe I've completely misunderstood the purpose of this software.

Steeeve|9 years ago

System() creates child processes, specified by parameters. If you don't sanitize your parameters, any child process could be created. If you run this software as root, that means root will run the command. If you run this as user, it's safer than root, but not actually safe.

1) The user isn't always the one providing user input.

2) When the user does provide input, the user isn't always smart.

3) Users do things that you never would have conceived.

Unsanitized system() calls are even worse than leaving your system wide open to a sql inection attack.

nul_byte|9 years ago

You're right, unsanitized user input is a risk when its externally crafted. At best in this case, its more sloppy coding then a high security risk.

tedunangst|9 years ago

Do the arguments come from the user or the exchange? If the email is telling me my profits, and the exchange says my profits are ``cat /etc/passwd`` that could be bad.

jacobwcarlson|9 years ago

Assuming input is from a benign source is literally the cause every single security issue ever. It's bizarre that I've been downvoted for this. And you're commenting about how I'm wrong without even reading the code. I seriously don't understand this site.

yunolisten|9 years ago

welcome to the internet, where few actually look at or understand the details of posts the comment on :)

floats to represent currency?

https://github.com/butor/blackbird/issues/118

ryanlol|9 years ago

For someone to "exploit" this they must already have code execution.