[ale] More on name=value

Mike Fletcher fletch at phydeaux.org
Fri Jul 16 13:27:09 EDT 1999


>>>>> "Bert" == Bert Hiddink <hiddink at sipromicro.com> writes:


    Bert> #!/bin/sh 
    Bert> echo Content-type:text/html 
    Bert> echo

    Bert> eval $1

	This is BAD.  For those in the audience fuzzy on the whole
good/bad thing, imagine the following URL:

http://my.host.net/cgi-bin/bad-idea?/bin/sh

	The script above would then have blithely executed a shell for
me which I could POST scripts into.  Granted that if the httpd is
setup correctly it shouldn't drop me into a root shell, but I've got
access to your box anyhow and could swipe any data available to the
uid the httpd is running as.  Not to mention having my foot in the
door and potentially being able to work my way up to root access.

	You (and whomever sugguested using eval like this :) really
should read the WWW Security FAQ, especially the section on CGI's.

	And learn perl. :)

http://www.w3.org/Security/Faq/www-security-faq.html
http://www.w3.org/Security/Faq/wwwsf4.html


-- 
Fletch                |                                            __`'/|
fletch at phydeaux.org   |       "I drank what?" -- Socrates          \ o.O'
678 443-6239(w)       |                                            =(___)=
                      |                                               U






More information about the Ale mailing list