[Gllug] Perl of the Sea - Gee I . . .

Lobster edjason at britishlibrary.net
Thu Apr 24 06:02:01 UTC 2003


At 15:06 23/04/2003 +0100, you wrote:
>You can do this using CGI rather than HTML directly, but it is very
>dangerous.  If you want to do something simple like run the 'ls' command,
>give them the option of running it, but don't let them supply parameters.
>If you do, then they could put something like this as the parameter " -l;
>rm -rf /*" and it would list the contents of the directory and then erase
>everything from the computer that the user the code is running as has access
>too.  The code usually runs as the web server user which is usually set to
>"nobody" so it's not totally dangerous if you are setup correctly, but it
>sure isn't safe.

Got it!
Gee I was thinking of only running it on my machine . . .
and maybe making it available as a tar ball (zip thingee).
It just seems that the power of linux is in the shell
but the way the commands are available documented
etc is not much fun . . .
(thanks to Jim in next post for RUSE Linux guide advice)

Still trying to get my head around this . . .
it would seem bash calls about 3000 commands
so what I was thinking of different ways of presenting
these commands but working on actual (benign) examples

So if it was running on a server
the 'danger' would be to the users machine
and not the server OR the server would not
be compromised if it was set up correctly . . .

It would give me a good way
of working through the commands
- maybe someone has done it?

Do these things such as midnight commander
or similar utilise these commands much like xtree
under MS DOS
- what is to be recommended?

Many thanks for everyones comments :-)

Lobster 



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list