[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Commands and Utilities Proposal, 0.2

Alan Cox <alan@lxorguk.ukuu.org.uk> writes:

> There have been several security holes and incidents caused by folks using 
> mailx as mail in web forms. In paticular things like
>  Hello
>  ~!rm -rf /home/httpd/html/*
> is mishandled by mailx used as mail 8)

Ouch. This points out two things:

Don't let your web server run programs as a user with any sort of

Always parse input in CGI scripts before calling external programs (or
better yet, don't call external programs).

Since it is already common for mail to be a symlink to mailx (or the
other way around, either way mail provides mailx funcionality), it is
a case of careless (or at least, not careful enough) programming on
the part of the script writer.

Jakob 'sparky' Kaivo - jkaivo@ndn.net - http://jakob.kaivo.net/

Reply to: