# cat evil-file | telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
telnet> !id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),1 0(wheel),19(log) Connection closed by foreign host. I think is very dangerous despite of few admins use telnet for moving file like this, there is attached a detailed security advisory. Good analysis, but I agree with Simon. This isn't a bug, it is no different than: cat evil-file | sh when running as root. If you want to be safe, base64 encode your file first before transfer; or use the -E flag.
