Hello, Is posible to inject a scape sequence via stdin to telnet, and arbitrary comands will be executed,
for example: # cat evil-file | telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. telnet> !id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),1 0(wheel),19(log) Connection closed by foreign host. I think is very dangerous despite of few admins use telnet for moving file like this, there is attached a detailed security advisory. regards
2011-002.adv
Description: Binary data
