[ale] More on name=value

Eric Z. Ayers eric.ayers at mindspring.com
Sat Jul 17 09:13:02 EDT 1999


SORRY!  I was thinking of it as a general shell script problem, not as 
running it from a web page...  If this were perl, it would be a
snap...


$ARGV[0]=~/=(.*)$/;
$value=$1;

and you'd have your value out in a jiffy!


-Eric.

Mike Fletcher writes:
 > >>>>> "Bert" == Bert Hiddink <hiddink at sipromicro.com> writes:
 > 
 > 
 >     Bert> #!/bin/sh 
 >     Bert> echo Content-type:text/html 
 >     Bert> echo
 > 
 >     Bert> eval $1
 > 
 > 	This is BAD.  For those in the audience fuzzy on the whole
 > good/bad thing, imagine the following URL:
 > 
 > http://my.host.net/cgi-bin/bad-idea?/bin/sh
 > 
 > 	The script above would then have blithely executed a shell for
 > me which I could POST scripts into.  Granted that if the httpd is
 > setup correctly it shouldn't drop me into a root shell, but I've got
 > access to your box anyhow and could swipe any data available to the
 > uid the httpd is running as.  Not to mention having my foot in the
 > door and potentially being able to work my way up to root access.
 > 
 > 	You (and whomever sugguested using eval like this :) really
 > should read the WWW Security FAQ, especially the section on CGI's.
 > 
 > 	And learn perl. :)
 > 
 > http://www.w3.org/Security/Faq/www-security-faq.html
 > http://www.w3.org/Security/Faq/wwwsf4.html
 > 
 > 
 > -- 
 > Fletch                |                                            __`'/|
 > fletch at phydeaux.org   |       "I drank what?" -- Socrates          \ o.O'
 > 678 443-6239(w)       |                                            =(___)=
 >                       |                                               U






More information about the Ale mailing list