[Date Prev]   [Date Next] [Thread Prev]   [Thread Next] [Date Index]   [Thread Index]


     Re: [nocol-users] security problems withwebnocol.cgi,genweb.pl,notifier.pl, etc.

>         As far as webnocol.cgi goes, it will happily execute whatever
>         the subcommand field in the GET/POST request tells it to
>         execute! Not verifying user input is scary enough, but to
>         take an arbitrary command that they provide and execute it
>         is just plain foolhardy.

No, it will only execute the subcommand if it exists in the cmdlist
array. However, I will take a look at tightening things up.


    Rick Beebe                                            (203) 785-6416
    Manager, Systems & Network Engineering           FAX: (203) 785-3978
    ITS-Med Production Services                   Richard.Beebe@yale.edu
    Yale University School of Medicine
    Suite 214, 100 Church Street South, New Haven, CT 06519