mail] PHP/shell script]
brad
brad at ispn.net
Fri Aug 15 19:10:59 CDT 2003
That makes sense. Is this something I can easily do with PHP or should
I run a shell script to parse through the string?
Thanks,
Brad
Brian wrote:
> The security concerns are that someone passes a malicious
> text string with "special" characters (i.e. characters that
> the os interprets) that cause the text string to be treated
> as a shell command that will run with privileges of the
> daemon parsing the message. This is a good way for a cracker to
> root into your system and perform bad things. It is feasible to
> pass a well formed string that will execute "rm -rf /" or other
> less obvious, but much more harmful things. There are basically
> two approaches to protect yourself from this:
>
> 1) parse the data out stripping the special characters,
> 2) parse the data out stripping all character except the ones you
> want to allow.
>
> I don't recall what all the special characters are, but there's
> plenty of internet references on the subject. Not to mention a good
> number on the list that probably know them by heart. I'd have to
> look them up in a book.
More information about the Kclug
mailing list