Le 17/12/2010 20:57, Bob Proulx a écrit : > CGI scripts are not normally setuid but are running as the web > server process owner
You wish... > Instead they stem from a script running unverified user provided > input. [...] It is a problem, and a big one, but completely different from > having a local user attack against an setuid script and be able to > gain the priviledge of the script owner. I do not think it is "completely different". A setuid script has defend itself against input from the local user. > Using user provided input as commands is a problem no matter what > language you use. Some languages make it easy, others not.