[2092] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: SECURITY HOLE: "Guestbook"

daemon@ATHENA.MIT.EDU (M. Zaiem Beg)
Tue Aug 8 21:42:20 1995

Date:         Tue, 8 Aug 1995 14:43:47 -0600
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: "M. Zaiem Beg" <zbeg@fortnet.org>
X-To:         Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To:  <199508042059.OAA27169@crimelab.com>

On Fri, 4 Aug 1995 smb@research.att.com wrote:

>          > The version of "Guestbook" available at
>          > <URL:http://alpha.pr1.k12.co.us/~mattw/scripts/guestbook.html>
>          > allows execution of arbitrary commands under the server UID.
>          > [ ... ]
>
>          > It's the same old story -- forks a shell and sends off user
>          > supplied form data without checking it at all.  In my probes
>          > I'm also finding sites running their webservers as root...
>          > BAD BAD.  DON'T DO THIS.
>
It's been fixed.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[2092] in bugtraq

Re: SECURITY HOLE: "Guestbook"

daemon@ATHENA.MIT.EDU (M. Zaiem Beg)Tue Aug 8 21:42:20 1995

daemon@ATHENA.MIT.EDU (M. Zaiem Beg)
Tue Aug 8 21:42:20 1995