30 Jul
1999
30 Jul
'99
11:22
MOIn, test-cgi is a realy a test CGI .... BUT in earlier versions is a BUG wich opend a securityhole: So client initalised ENV-variables were NOT quoted - such as $QUERY_STRING,$HTTP_ACCEPT,... ! so it was easiely to append shell-commands to the ENV-vars. The result then was: ..:% echo <regular query_string>; <appended sh-command> THE NEWer versions are fixed ! Regards - Richard -- ..."AS IS" WITHOUT WARRANTY OF ANY KIND ... PGP-public-key: http://www.wlp.de/pgp_public_keys/rl-pgp-public-key.txt Kontakt: http://www.wlp.de/kontakt ---------------------------------------------------------------------------