[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Dangerous cgi-script



Nicolas Le Clerc <nleclerc@pobox.com> writes:
}
}On a Unix machine, with no more than three successive alphabetic
}characters you can still do:
}
}	`rm -rf /`;
}
}Even if your script is not running as root, this won't do much good to
}your machine.

On any Unix machine where the admin has half a clue, the web server is
running chrooted and with a uid of "nobody" or equivalent.  There's a limit
to the damage that can be done.  I don't have much interest in or
experience with Mac webservers (I run NetPresenz on my Mac just for kicks),
but I believe they also don't permit mucking around outside the folder in
which they are placed (the equivalent of chroot), and are running as
"Guest".

Not that I think that running a CGI that does arbitrary evals is a good
idea (it's a terrible idea), but it's not like posting the root password ...

}
}Nicolas
}
}--
}Nicolas LE CLERC
}<mailto:nleclerc@pobox.com>
}<finger:nleclerc@pobox.com>
}
}

---
Paul J. Schinder
NASA Goddard Space Flight Center
Code 693, Greenbelt, MD 20771
schinder@pjstoaster.pg.md.us



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch