	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OT] Re: login cgi argument sanity checking

To: Cory Snavely <csnavely@xxxxxxxxx>
Subject: [OT] Re: login cgi argument sanity checking
From: Sacha Mallais <sacha@xxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Aug 2005 12:04:29 -0700
Cc: Sacha Mallais <sacha@xxxxxxxxxxxxxxxxxx>, Graeme Wood <Graeme.Wood@xxxxxxxx>, cosign-discuss@xxxxxxxxx
In-reply-to: <430B6D34.7000605@umich.edu>
References: <Pine.GSO.4.58.0508161019330.7320@sagittarius.ucs.ed.ac.uk> <430B6D34.7000605@umich.edu>

On Aug 23, 2005, at 11:38 AM, Cory Snavely wrote:

(I will occasionally see strings like "|cat /etc/passwd" passed as a CGI argument to web applications we run, and thoroughly roll my eyes at such pathetic attempts, but it goes to show that some folks will try an exploit in any conceivable place.)

Not as pathetic as you might think. The Daily WTF (http:// www.thedailywtf.com/) is filled with code from deployed systems that have such ridiculous holes. A recent, somewhat relevant post: http:// www.thedailywtf.com/forums/41153/ShowPost.aspx

Sorry for the only tangentially-related post,

sacha


--
Sacha Michel Mallais - 800 lb. gorilla
Global Village Consulting Inc.:   http://www.global-village.net/
            1. Never tell everything at once.
            -- Ken Venturi, Ken Venturi's Two Great Rules of Life

References:
- login cgi argument sanity checking
  - From: Graeme Wood
- Re: login cgi argument sanity checking
  - From: Cory Snavely

Prev by Date: Re: login cgi argument sanity checking
Next by Date: Re: Fwd: IdP v1.3a, CoSign, and Mozilla/Firefox
Previous by thread: Re: login cgi argument sanity checking
Next by thread: Cialis - $2.99/dose
Index(es):
- Date
- Thread