Re: flashplugin-nonfree get-upstream-version.pl security concern
On Wed, Dec 12, 2012 at 05:52:31PM +0000, adrelanos wrote:
> Since get-upstream-version.pl runs as root it can do anything.
>
> I don't accuse him personally for anything. But should he ever be
> compromised (forced, evil maid, etc...) it's very easy to mount a
> stealth attack.
I would worry more about the Adobe's web site getting compromised.
The get-upstream-version.pl script fetches the link to the Flash
player from www.adobe.com and then the download page:
open INPUT, "wget --user-agent=\"$user_agent\" -qO - $url |" or die;
It runs wget using the shell and there is basically no validation for
what $url contains. Even if taint mode was used, this would untaint
the value no matter what it happens to contain:
$page =~ m,<a href="([^"]+)">Adobe Flash Player</a>,s
or die "link to Adobe Flash Player not found on $url";
my $link_to_flash = $1;
What would happen if the link happened to contain "; some nasty
command"?
Given Adobe's security track record with their software products, I
would not trust their web site too much. In fact, I would not like
to run that kind of script against any normal corporate web site,
especially non-https one!
Reply to: