On Fri, Jun 7, 2013 at 5:21 PM, Michael Chaney <mdcha...@michaelchaney.com>wrote:
> In this particular case the data written to the file came from a form. > So, script kiddies were writing their own "scripts". > > Michael > > > On Fri, Jun 7, 2013 at 5:11 PM, Robert Wohlfarth <rbwohlfa...@gmail.com>wrote: > >> On Fri, Jun 7, 2013 at 5:01 PM, Michael Chaney < >> mdcha...@michaelchaney.com> wrote: >> >>> >>> > My first thought would be to just drop the file in the directory with >>> the CGI script. The script can stat the file and regenerate it if it's more >>> than 10 minutes old (or whatever interval you want). Keep it simple. >>> >>> I've been cleaning up a server over the past couple of weeks where >>> someone else decided to do something like this. >>> >>> Please, please, please, do not ever write to a directory that is >>> executable from a web server. >>> >> >> What happened? Not arguing your point - trying to learning. >> > Ouch. That is nasty. Thinking out loud... In this case, anyone who can corrupt the intermediate file already has write access to the CGI directory to put up their own script. However, someone could enter the URL to the intermediate script and crash the web server when it tries to execute the text data as a script. Also a bad thing. So a better solution would be to put the file in /tmp. And use file locking to prevent one process from reading the file while another one is trying to write to it. -- Robert Wohlfarth -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
