Re: Filename Inspection+Perl can Executing commands

[Tom Geldner <tom () XOR CC>]

----- Original Message -----
From: "Billy Nothern" <disk_key () HOTMAIL COM>
Here is an example URL an attacker could use:

http://host/."./."./Perl/eg/core/findtar+&+echo+hacked+>+c:\InetPub\ww
wroot\hacked.html+&+.pl

The whole discussion was interesting but speaking as a site the runs
ActiveState Perl, the assumptive directory layout you've outlined
doesn't seem correct. (Regardless, we don't have findtar in our Perl
libs.)

lib/core is what I've seen. Is this exploit specific to a particular
install or version of AS Perl for IIS?

Tom