syatem command and dummy fields
Walter Vaughan
wvaughan at steelerubber.com
Mon May 19 05:18:46 PDT 2008
Fairlight wrote:
>Y'all catch dis heeyah? Walter Vaughan been jivin' 'bout like:
>
>
>>Also be aware that fields 7 and 8 are now vectors that can get you in
>>trouble. If someone puts "; evil_command; " in one of those fields, they
>>have full access to whatever filepro has as well. Delete, change records,
>>logs, etc... at will
>>
>>You might want to strip those fields of semicolons for auditing purposes.
>>
>>
>
>Walter, you do enough web design that I'd have expected you to know that
>semicolons aren't the only thing that can get you in trouble.
>
>
It's early in the morning. Thanks for the rest of the explanation for
Dennis.
It's not that you expect users to do evil things. Evil things can happen
when you least expect it.
Crap falls on keyboards and all sort of weird things happen with un
natural data.
>In fact, pipes are another huge vector. And pipes work on both *nix and
>Windows...a fact that proved the big common arbitrary code execution
>exploit in fPCGI 1.0 before I managed to convince them to close it.
>Doesn't even matter if another part of the line errors--if the malicious
>part is executed, you're screwed.
>
>Then there are grave quotes, which can also come anywhere within the
>command on *nix, and also allow for easy injection.
>
>In general, -all- shell metacharacters should be stripped from
>user-supplied segments of anything that will ever touch a command
>interpreter. Actually, if your architecture requires user-supplied data on
>the command line, the architecture should be better designed, as a general
>rule of thumb.
>
Agreed.
--
wdv
More information about the Filepro-list
mailing list