Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Guestbooks :: web4837.htm

Book of guest & Post it!
2nd Nov 2001 [SBWID-4837]

	Book of guest & Post it!




	David Kumme found following, in Seth Leonard\'s Book of guests and  Post
	it! CGIs, available at

	The problem is that this script doesn\'t filter out  ANY  metacharacters
	from the input and pass it to the shell. Therefore by writing  something
	like;cat  /etc/passwd|mail  into  the
	email field,  the attacker could take control over the host.




	first of all it isn\'t a bad idea to set the permissions of  the  script
	corectly. Furthermore the line if ($INPUT{\'email\'} =~  /(.*)@(.*)/)  {
	... } should be replaced  by  something  like  if  ($INPUT{\'emai\'}  =~
	/^[\\w-.]+\\@[\\w-.]) { ... }


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH