calendar.pl
some older /usr/bin/cal don't know about '-m'.
showDate.pl
Using something like
showDate.pl?month=../../../../../../etc/&date=inittab
in the URL
one can open files ro with the executive uid of the user
the server is running as. Only the regexp controlling what is
written out keeps one from reading files contents. So what a pitty
inittab just has 6 entries...
If - however - you'd happen to have users with numerical names
in the range of 8..24, showDate.pl would happily spit their
/etc/password entries at you.
Not too interesting, this one.
alterDate.pl
this seems more 'promising', cause it let's you open files
O_RDWR | O_CREAT,0666, opening all kinds of doors.
An URL like
alterDate.pl?month=../../../../../../etc/&date=passwd&time=r00t&entry=:0:0::/:/bin/sh&action=Add%20new%20entry
really makes you wish you wouldn't have your server running as root...
I didn't play with action=rem, but it looks like it let's you remove any line containing a ':' from any file writable by the user the webserver is running as. (such as logfiles, if you want to hide your traces from playing with action=Add%20new%20entry)
so, as a bottom line, please be sure to check user input in your cgis, esp. when you post them to some public place. You never know just who's gonna use them in what surroundings.
-- bash$ :(){ :|:&};:
In reply to do not use this script in a public environment!
by antihec
in thread CGI- based calendar
by mikkoh
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |