[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnumed-devel] re: hacked

From: flotsamjetsom
Subject: [Gnumed-devel] re: hacked
Date: Wed, 24 Nov 2004 10:12:38 +1100
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913

The exploit can  gain the privileges of the users as which TWiki and the web
server run through the global search function of TWiki, allowing to execute
arbitrary shell commands as that user.

this sounds like quite a well known way of exploiting web servers; did the command filter through an escape() function ( escapes separater characters such as ; which can end a search command and allow the rest of the input string to be fed as a perl/ php or whatever method call)?
that was what I remember how a php tuturial ( 3 years ago) recommended
pre-processing user input that is used as a command parameter.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]