> As far as webnocol.cgi goes, it will happily execute whatever
> the subcommand field in the GET/POST request tells it to
> execute! Not verifying user input is scary enough, but to
> take an arbitrary command that they provide and execute it
> is just plain foolhardy.
No, it will only execute the subcommand if it exists in the cmdlist
array. However, I will take a look at tightening things up.
--
_______________________________________________________________________
Rick Beebe (203) 785-6416
Manager, Systems & Network Engineering FAX: (203) 785-3978
ITS-Med Production Services Richard.Beebe@yale.edu
Yale University School of Medicine
Suite 214, 100 Church Street South, New Haven, CT 06519
_______________________________________________________________________
|