Re: Commands and Utilities Proposal, 0.2

To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: lsb-spec@lists.linuxbase.org, lsb-discuss@lists.linuxbase.org
Subject: Re: Commands and Utilities Proposal, 0.2
From: "Jakob 'sparky' Kaivo" <jkaivo@elijah.nodomainname.net>
Date: 23 Nov 1999 11:22:43 -0800
Message-id: <[🔎] m3ln7pko70.fsf@elijah.nodomainname.net>
In-reply-to: Alan Cox's message of "Tue, 23 Nov 1999 19:15:18 +0000 (GMT)"
References: <[🔎] E11qLPL-0005Lj-00@the-village.bc.nu>

Alan Cox <alan@lxorguk.ukuu.org.uk> writes:

> There have been several security holes and incidents caused by folks using 
> mailx as mail in web forms. In paticular things like
> 
>  Hello
>  ~!rm -rf /home/httpd/html/*
> 
> is mishandled by mailx used as mail 8)

Ouch. This points out two things:

Don't let your web server run programs as a user with any sort of
priveliges.

Always parse input in CGI scripts before calling external programs (or
better yet, don't call external programs).

Since it is already common for mail to be a symlink to mailx (or the
other way around, either way mail provides mailx funcionality), it is
a case of careless (or at least, not careful enough) programming on
the part of the script writer.

-- 
Jakob 'sparky' Kaivo - jkaivo@ndn.net - http://jakob.kaivo.net/

Reply to:

References:
- Re: Commands and Utilities Proposal, 0.2
  - From: Alan Cox <alan@lxorguk.ukuu.org.uk>

Prev by Date: Re: Commands and Utilities Proposal, 0.2
Next by Date: Re: Commands and Utilities Proposal, 0.2
Previous by thread: Re: Commands and Utilities Proposal, 0.2
Next by thread: Re: Commands and Utilities Proposal, 0.2
Index(es):
- Date
- Thread