On Thu, 7 Mar 2002, at 7:54am, [EMAIL PROTECTED] wrote: >> I note that Perl's CGI module has an identical feature (the ability to set >> language variables from an HTML form). > > Please clarify if I'm misunderstanding what you're talking about.
Using this feature, an HTML form variable called "foo" results in a language variable called "$foo" (in Perl, at least). So the attacker submits the "form" with extra variables that do things like change your path, shell, internal authentication variables, etc., etc. Basically, the attacker can modify your program's state at will. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
