The problem is that attacker can modify ping's output without having direct access to this program. Example:

ilya@juil:~$ ping www.aha.ru
PING distributed.zenon.net (195.2.91.103): 56 data bytes
     ^^^^^^^^^^^^^^^^^^^^^
64 bytes from 195.2.91.103: icmp_seq=0 ttl=120 time=69.3 ms
64 bytes from 195.2.91.103: icmp_seq=1 ttl=120 time=64.6 ms
[download]

Note that ping (at least its version on my Linux desktop) queries DNS to find canonic name of pinged host. Since attacker controls networking address of pinged computer and may potentialy control corresponding DNS server he can control this part of ping's output. In general if you use output of any networking program you must be extra careful about it. There are many ways how attacker can tamper it without having direct access to your computer.

--
Ilya Martynov, ilya@iponweb.net
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org

Very good point. I did not think of that.

-Lee

"To be civilized is to deny one's nature."

This is why I always escape all output in web applications I write unless I really don't need it. It is just safer, as it saves you from potentially incorrect assumptions about your data.

--
Ilya Martynov, ilya@iponweb.net
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org