Commands and Utilities Proposal, 0.2
Jakob 'sparky' Kaivo
jkaivo at elijah.nodomainname.net
Tue Nov 23 11:22:43 PST 1999
Alan Cox <alan at lxorguk.ukuu.org.uk> writes:
> There have been several security holes and incidents caused by folks using
> mailx as mail in web forms. In paticular things like
>
> Hello
> ~!rm -rf /home/httpd/html/*
>
> is mishandled by mailx used as mail 8)
Ouch. This points out two things:
Don't let your web server run programs as a user with any sort of
priveliges.
Always parse input in CGI scripts before calling external programs (or
better yet, don't call external programs).
Since it is already common for mail to be a symlink to mailx (or the
other way around, either way mail provides mailx funcionality), it is
a case of careless (or at least, not careful enough) programming on
the part of the script writer.
--
Jakob 'sparky' Kaivo - jkaivo at ndn.net - http://jakob.kaivo.net/
More information about the lsb-discuss
mailing list