On 19/03/07, Chris Sangwin <sangwinc at for.mat.bham.ac.uk> wrote:
>
> My solution in
> STACK was not to let users set GNUplot options, rather than trying to
> create a list of all bad functions.
>
Hi Chris, you are right.. now I disabled 'gnuplot_preamble' option for
at least temporarily until I have solution for the following problem..
I just noticed that though MaximaPHP blocks out gnuplot 'system'
command for example.. we can easily pass the filter by issuing command
like below into MaximaPHP..
mypre: "s";
mypre: concat(mypre, "ystem(\"ls\")");
plot2d(sin(x), [x, -3, 3], [gnuplot_preamble, mypre])
and voila... I could see all my files and directories.. :-(
Anyone know how to block this kind of hidden 'system' command..?
Regards
bowo
On 19/03/07, Chris Sangwin <sangwinc at for.mat.bham.ac.uk> wrote:
>
> Bowo,
>
> I beleve that GNU plot also has a "system" command (and related shell
> commands) which are also a rather large security hole. My solution in
> STACK was not to let users set GNUplot options, rather than trying to
> create a list of all bad functions.
>
> Chris
>
>
> On Mon, 19 Mar 2007, Bowo Prasetyo wrote:
>
> > Hi,
> >
> > I found that using command for example..
> >
> > plot2d(sin(x), [x, -5, 5], [gnuplot_term, "png size 100000, 100000"])
> >
> > in MaximaPHP can cause Maxima to create arbitrarily large file in your server..
> >
> > So.. I added the following pairs in the blacklist..
> >
> > 'plot2d', '/\bpng\b.*\bsize\b/s'
> > 'plot3d', '/\bpng\b.*\bsize\b/s'
> >
> > Maybe there are another such holes.. so please be careful if you use
> > MaximaPHP in your server.
> >
> > Best regards,
> > bowo
> > _______________________________________________
> > Maxima mailing list
> > Maxima at math.utexas.edu
> > http://www.math.utexas.edu/mailman/listinfo/maxima
> >
>