>>>>> "Jonathan" == Jonathan e paton <[EMAIL PROTECTED]> writes:
Jonathan> I don't think the shell is called to resolve the
Jonathan> "/home/users/me/web/$in{'NAME'}.ext" bit, and therefore
Jonathan> you cannot run commands with it.
It would be if $in{NAME} contained "|\0". NUL characters terminate
the string, and if | appears just before that, bingo, it's a shell
command, not a file open. Trivial to get:
/cgi-bin/yourscript?NAME=%7C%00
All that's needed now is to make that "\n/evil/command|\0" instead.
I'll leave that up to the guy that's about to visit your site. :)
Never trust CGI params.
Never trust CGI params.
Never trust CGI params.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
