egghelp/eggheads community

Security regarding the exec command. (Need some guidance).

2003-09-25T12:06:23-04:00

hehe, not that easy heh..

Ok, now I at least know its a security hazard..

Thnx

Draugen

Statistics: Posted by Guest — Thu Sep 25, 2003 12:06 pm

Security regarding the exec command. (Need some guidance).

2003-09-25T06:46:57-04:00

No, that is incorrect.

Split converts a string into a Tcl list.

However, there are ocasions where strings can contain harmful Tcl commands. These will only ever cause hastle when you use them in eval, expr or callback functions like after, filevent, eggdrop timers or the dns query callback in eggdrop.

Using exec with user input is a little more worrying. While you can split the elements in a script to contain a list, it isn;t Tcl dealing with the parsing of the command being sent to exec.

Caracters such as | can be interpreted and causing security issues.

Your best bet is to look at other scripts that deal with exec functions like domain whois scripts, ping script or others. These will give you a good idea of what can be done to combat this.

Statistics: Posted by ppslim — Thu Sep 25, 2003 6:46 am

Security regarding the exec command. (Need some guidance).

2003-09-24T20:46:11-04:00

Thanks I will try that.
I did read the the split man page, but I was unable to figure out why this is a more secure way to do it.

It converts the string into a table, and while printing out the content from a table it does not run any cmd that might be in it?

Statistics: Posted by Guest — Wed Sep 24, 2003 8:46 pm

Security regarding the exec command. (Need some guidance).

2003-09-24T15:31:25-04:00

Code:

if { [ catch { exec echo $arg | /usr/bin/mail -s "Eggdrop Paged by: $nick" me@myplace.com } fid ] } {

should be

Code:

if { [ catch { exec echo [split $arg] | /usr/bin/mail -s "Eggdrop Paged by: [split $nick]" me@myplace.com } fid ] } {

then it should be okay, I guess.

Statistics: Posted by Sir_Fz — Wed Sep 24, 2003 3:31 pm

Security regarding the exec command. (Need some guidance).

2003-09-24T13:26:28-04:00

Im trying to make a *.tcl that will send me an email if someone sends a /ctcp page "Some text" to the bot. (As you can see this is the first time I have tried to do something using the TCL)

Code:

bind ctcp n page ctcp:pageproc ctcp:page { nick host handle dest key arg } {        if { [ catch { exec echo $arg | /usr/bin/mail -s "Eggdrop Paged by: $nick" me@myplace.com } fid ] } {                 putserv "NOTICE $nick :\001Page failed: $fid"        } else {                 putserv "NOTICE $nick :\001Page Page success!!"        }         return 0}

This does the job, but I belive the variables in the exec command might be a security hazard? If that is, I would really would be happy if someone knows a clever way of cleaning the variable for any hamfull content, or if there are any website that deals with such issues I'd be happy to have their url's. ( I have done some searching on my own, but I have not found the right info )

BTW, Im aware that someone might send me 1000 emails as I dont have system stops that, but that seems like a minor problem that I can deal with on my own.

Thats all

Draugen.

Statistics: Posted by Guest — Wed Sep 24, 2003 1:26 pm