Nikolaus Rath, le Thu 25 Sep 2014 17:26:40 -0700, a écrit : > Samuel Thibault <sthiba...@debian.org> writes: > > Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit : > >> Samuel Thibault: > >> > Sounds crazy to me. > >> > > >> Definitely. This is now out in the wild; exploits which simply replace > >> echo or cat-without-/bin are going to happen. :-/ > > > > That's not so easy to exploit. You have to manage to inject those precise > > variable names. > > Wasn't there some web server that used to put query script variables > into the environment of the CGI script?
Well, that ought to have been fixed a long time ago already, otherwise you could have injected all sorts of LD_*. Samuel -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140926071917.gj3...@type.youpi.perso.aquilenet.fr
