There are at least four security flaws in this piece of software
#!/bin/sh eval ls > $HOME/listing
This is on the cover of a brochure for a "Writing Secure Software" tutorial offered by eSec back in 2001. I kept the brochure because it made me think, and until now, I hadn't been able to find four flaws. I was just doing some cleaning up and I found it again.
So far, I have:
- relying on $PATH to provide ls (someone can overload it to cause something else to executed).
- trusting the output of the aforementioned ls command and executing it
- relying on $HOME to be set to something sane
- making an assumption about the current working directory of the script (as this is going to influence what ls returns and is thusly fed to eval)
Well, that is four things, but I'm not sure if that was the four things eSec had in mind. Now I think I will throw it out...