in reply to Re: Re: Re: Hacking CGI - security and exploitation
in thread Hacking CGI - security and exploitation

Thanks for the reply. As for the following:

# why was the following line there?
# if($FORM{'path'} =~ m/\0|\r|\n/ig){ die "illegal characters"; }

[download]

I was wondering why he bothers removing those characters from a variable that is never used. Perhaps he meant $FORM{'user'} in the $htaccess assignment to be $FORM{'path'}?

Replies are listed 'Best First'.
Re: Re(4): Hacking CGI - security and exploitation
by Anonymous Monk on Jun 25, 2002 at 10:28 UTC
    You are correct. Hence again he demonstrated how to get security wrong. :-)
[reply]

In Section Meditations