Take a look at the code in this node. Since it didn't have taint checking (amongst many other problems), I was rather concerned about it. A quick review of this code revealed the following line of code. Where does the filename come from?
It appears to come from here (near the start of the program):
Guess what the following URL does (assuming it's pointing to that CGI script):
If we use that code with that URL, we have /bin/ls| in the filename to be opened. That trailing pipe causes /bin/ls to be executed instead of opened.
Well, that's interesting.
I can now execute any executable on the server that the the script would have rights to run. Needless to say, there is a security issue here and it's a whopper. For all those monks out there who don't take this seriously (and I see a lot of them), pay attention!!!!
Join the Perlmonks Setiathome Group or just go the the link and check out our stats.