|[Date Prev] [Date Next]||[Thread Prev] [Thread Next]||[Date Index] [Thread Index]|
Re: [nocol-users] security problems withwebnocol.cgi,genweb.pl,notifier.pl, etc.
> As far as webnocol.cgi goes, it will happily execute whatever > the subcommand field in the GET/POST request tells it to > execute! Not verifying user input is scary enough, but to > take an arbitrary command that they provide and execute it > is just plain foolhardy. No, it will only execute the subcommand if it exists in the cmdlist array. However, I will take a look at tightening things up. -- _______________________________________________________________________ Rick Beebe (203) 785-6416 Manager, Systems & Network Engineering FAX: (203) 785-3978 ITS-Med Production Services Richard.Beebe@yale.edu Yale University School of Medicine Suite 214, 100 Church Street South, New Haven, CT 06519 _______________________________________________________________________