Hello all. Dnstools 1.08 ( available at http://www.dnstools.com/dnst_v1.tgz ) has 18 cgi scripts with various functions, like AddMx, DeleteDomain, that all start off like this: ----------------- #!/usr/bin/perl use CGI; use DBI; my $CGI = new CGI; ######################################################## ### Get all of the values from the web form ######################################################## my $host_name; my $domain_name; $host_name = $CGI->param("host_name"); $domain_name = $CGI->param("domain_name"); $error_description = ""; my $error_code = system("/usr/local/dnstools/delete_mx -d \"$domain_name\" -n \"$host_name\""); ------------- Not a lick of input validation is done, so executing and poking around the filesystem as the webserver is possible. It doesn't even vainly check the referrer. This costs $800?? -- jonathanat_private http://leto.net "With pain comes clarity."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:41 PDT