It was found that perl-Data-FormValidator, a HTML form user input validator, used to treat certain invalid fields as valid, when the untaint_all_constraints directive was used (default for majority of Data-FormValidator routines). A remote attacker could use this flaw to bypass perl Taint mode protection mechanism via specially-crafted input provided to the HTML form. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629511 [2] https://rt.cpan.org/Public/Bug/Display.html?id=61792
This issue affect the versions of the perl-Data-FormValidator package, as shipped with Fedora release of 13, 14, and 15. Please schedule an update (once final upstream patch known / ready).
CVE Request: [3] http://www.openwall.com/lists/oss-security/2011/06/12/3
Public PoC (from [2]): ====================== #!/opt/perl/5.12/bin/perl use strict; use warnings; use Data::FormValidator; "some_unrelated_string" =~ m/^.*$/; my $profile = { untaint_all_constraints => 1, required => [qw(a)], constraint_methods => { a => qr/will_never_match/, }, }; my $results = Data::FormValidator->check({ a => 1 }, $profile); warn $results->valid('a'); Have tried on my F-15 machine (perl-Data-FormValidator-4.66-4.fc15.noarch) as: $ cat test.pl #!/usr/bin/perl -w use strict; use warnings; use Data::Dumper; use Data::FormValidator; "some_unrelated_string" =~ m/^.*$/; my $profile = { untaint_all_constraints => 1, required => [qw(a)], constraint_methods => { a => qr/will_never_match/, }, }; my $results = Data::FormValidator->check({ a => 1 }, $profile); print $results->valid,"\n"; and 'a' is reported as being valid.
Created perl-Data-FormValidator tracking bugs for this issue Affects: fedora-all [bug 712699]
The CVE identifier of CVE-2011-2201 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2011/06/13/13