It is also very dangerous because you could have admins
preserving this security hole in automatic backups, or
you could have a disgruntled employee use it. Maybe you
can compromise important passwords (db server? other hosts?)
by showing them to other people through the shell
in reply to Run arbitrary UNIX commands on webserver without telnet
be really dangerous is for it to be pushed from a staging
server to live server in a general upload that the
corporate hosting service does for you. You may not ever
be able to tell what is in that directory yourself, and
like one large hosting service I know, there may be nobody
with brainpower in the loop on their side either.
If you really needed to know something about your server
I don't see why you wouldn't just modify your main cgi
program to print the data out, then erase that debugging
Of course I tell clients to only use telnetable systems, or
to switch to a cheaper provider which has them.. at the very
least you will be very sorry when you suddenly need to
use compiled C code.
imagine a situation where you might want to do something
in 5 minutes and you are in trouble, but there is no
justification for making a general shell exploit and posting
it on perlmonks. I can't see a lot of use for it except
as a way to do mischief.