[CTS] Re: GGI runs CGI
- From: John Madden <weez@xxxxxxxxxxxxx>
- To: computertalkshop@xxxxxxxxxxxxx
- Date: Sun, 31 Mar 2002 22:18:45 -0500
On Sunday 31 March 2002 06:51 pm, you wrote:
> What are the chances of that, and how could it be dealt with?
> Can such attempts be detected and stopped?
Yes, read up on escaping dangerous characters. Basically, here's the
scenario... You do:
system("command $userinput");
and for $userinput, the user gives you:
"myemail@xxxxxxxxxx && rm -rf /"
So in turn, your command really becomes:
system("command myemail@xxxxxxxx && rm -rf /");
Thus removing all files on the system owned by the user executing the
script. Thanks to UNIX design, however, you'll only be removing the files
the script runs as, generally the web server user, generally "nobody."
Still, that's a problem.
John
--
# John Madden weez@xxxxxxxxxxxxx ICQ: 2EB9EA
# FreeLists, Free mailing lists for all: //www.freelists.org
# UNIX Systems Engineer, Ivy Tech State College: http://www.ivy.tec.in.us
# Linux, Apache, Perl and C: All the best things in life are free!
---------------------------------------------------------------------------
-----
Computer Talk Shop http://www.computertalkshop.com
Un-subscribe/Vacation, http://questforcertification.com/cts/list_options.htm
List HowTo: http://questforcertification.com/cts/faq
To join Computer Talk Shop's off topic list, please goto:
http://questforcertification.com/cts/other_cts_lists.htm
---------------------------------------------------------------------------
------
Other related posts:
