Quoting Doru Petrescu (pdoruat_private) from Wed, Jun 24, 1998 at 08:51:11AM +0300: > Hi, > > I've found a serious problem in textcounter.pl script that enable > everybody to execute commands on your system with the same rights as the > httpd daemon. Bah, that's what I get for writing things at 3:30 am. Regarding my previous post: Yes, this script's vulnerability allows execution of arbitrary commands. Part about 'same rights as http daemon' still implies poor configuration of httpd. Obviously, translate that to 'with the same rights as the user running this poorly-written prefabricated script' for a properly- configured httpd. Use cgiwrap. Don't run scripts from untrusted sources. Don't take candy from strangers. Breathe. -Rich -- Rich Lafferty -----------+------------------------------------------- Department of Sociology | "Theory means you have ideas; ideology McGill University | means ideas have you" -unknown anarchist laffertyat_private ------+-------------------------------------[mcq]-
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:16 PDT