Commands and Utilities Proposal, 0.2

Jakob 'sparky' Kaivo jkaivo at
Tue Nov 23 11:22:43 PST 1999

Alan Cox <alan at> writes:

> There have been several security holes and incidents caused by folks using 
> mailx as mail in web forms. In paticular things like
>  Hello
>  ~!rm -rf /home/httpd/html/*
> is mishandled by mailx used as mail 8)

Ouch. This points out two things:

Don't let your web server run programs as a user with any sort of

Always parse input in CGI scripts before calling external programs (or
better yet, don't call external programs).

Since it is already common for mail to be a symlink to mailx (or the
other way around, either way mail provides mailx funcionality), it is
a case of careless (or at least, not careful enough) programming on
the part of the script writer.

Jakob 'sparky' Kaivo - jkaivo at -

More information about the lsb-discuss mailing list