This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.

For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

Security regarding the exec command. (Need some guidance).

Old posts that have not been replied to for several years.
Locked
D
Draugen

Security regarding the exec command. (Need some guidance).

Post by Draugen »

Im trying to make a *.tcl that will send me an email if someone sends a /ctcp page "Some text" to the bot. (As you can see this is the first time I have tried to do something using the TCL)

Code: Select all

bind ctcp n page ctcp:page

proc ctcp:page { nick host handle dest key arg } {
        if { [ catch { exec echo $arg | /usr/bin/mail -s "Eggdrop Paged by: $nick" me@myplace.com } fid ] } {
                 putserv "NOTICE $nick :\001Page failed: $fid"
        } else {
                 putserv "NOTICE $nick :\001Page Page success!!"
        } 
        return 0
}
This does the job, but I belive the variables in the exec command might be a security hazard? If that is, I would really would be happy if someone knows a clever way of cleaning the variable for any hamfull content, or if there are any website that deals with such issues I'd be happy to have their url's. ( I have done some searching on my own, but I have not found the right info )

BTW, Im aware that someone might send me 1000 emails as I dont have system stops that, but that seems like a minor problem that I can deal with on my own.

Thats all

Draugen.
Top
User avatar
Sir_Fz
Revered One
Posts: 3794
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:
Contact Sir_Fz

Post by Sir_Fz »

Code: Select all

if { [ catch { exec echo $arg | /usr/bin/mail -s "Eggdrop Paged by: $nick" me@myplace.com } fid ] } {
should be

Code: Select all

if { [ catch { exec echo [split $arg] | /usr/bin/mail -s "Eggdrop Paged by: [split $nick]" me@myplace.com } fid ] } {
then it should be okay, I guess.
Top
D
Draugen

Post by Draugen »

Thanks I will try that.
I did read the the split man page, but I was unable to figure out why this is a more secure way to do it.

It converts the string into a table, and while printing out the content from a table it does not run any cmd that might be in it?
Top
p
ppslim
Revered One
Posts: 3914
Joined: Sun Sep 23, 2001 8:00 pm
Location: Liverpool, England

Post by ppslim »

No, that is incorrect.

Split converts a string into a Tcl list.

However, there are ocasions where strings can contain harmful Tcl commands. These will only ever cause hastle when you use them in eval, expr or callback functions like after, filevent, eggdrop timers or the dns query callback in eggdrop.

Using exec with user input is a little more worrying. While you can split the elements in a script to contain a list, it isn;t Tcl dealing with the parsing of the command being sent to exec.

Caracters such as | can be interpreted and causing security issues.

Your best bet is to look at other scripts that deal with exec functions like domain whois scripts, ping script or others. These will give you a good idea of what can be done to combat this.
Top
D
Draugen

Post by Draugen »

hehe, not that easy heh..

Ok, now I at least know its a security hazard..

Thnx

Draugen
Top
Locked

Return to “Archive”