http://www.perlmonks.org?node_id=122103


in reply to Run arbitrary UNIX commands on webserver without telnet

I far prefer the tried and true: 
use CGI qw(:standard);
# Time passes
open(IN, param("input_file"));
# and do the rest of the apparently innocuous program

[download]
The proper usage of this handy command runner I leave to your imagination, a close read of open's semantics, and a reminder that if you know how to do a URI encoding, you can put pipes etc into the filename.

Yes. This is a warning about a basic security mistake that you may be making without realizing it...

  • Comment on Re (tilly) 1: Run arbitrary UNIX commands on webserver without telnet
  • Download Code

Replies are listed 'Best First'.
Re(dmm) 2: Run arbitrary UNIX commands on webserver without telnet
by dmmiller2k (Chaplain) on Oct 30, 2001 at 19:42 UTC

    Very stealthy. And concise.

    dmm

    
You can give a man a fish and feed him for a day ...
Or, you can teach him to fish and feed him for a lifetime
[reply]

In Section Craft