X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-ID: <4.1.19990531071409.02362670@pop3.ActiveState.com> Date: Mon, 31 May 1999 07:16:53 -0700 Reply-To: Michael Smith Sender: Windows NT BugTraq Mailing List From: Michael Smith Subject: ActiveState Security Advisory To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM In-Reply-To: <199905310356.UAA25442@activestate.com> Problem -------- PerlScript and Perl-ISAPI that come with ActivePerl 516 and earlier versions, inadequately check the length of path information sent to open(). Due to limits on path and filename length in Windows, this can crash IIS if sufficiently large strings are provided as paths or filenames. Solution --------- This is fixed in ActivePerl 517 Work Around ------------ If you are unable to upgrade to ActivePerl 517 then all path information should be checked for sane lengths before being passed to open(). The maximum length of a path, including drive, directory and filename is 259 characters. The maximum length of the filename portion of a path is 255 characters. The maximum length of the directory portion of a path is 255 characters. example: $filename = substr $filename, 0, 255; open FOO, ">$filename"; General Comments ----------------- Care should be taken when accepting input from users, especially in a web context where users are untrusted and relatively anonymous. When designing CGI scripts some thought should be given to checking user input for sane values. Use of taint mode and warnings (-t and -w) are also highly recommended. The Activators.