You have a good point. How would you guard against this sort of spoofing? Require several rapid fire hits before blocking, perhaps? Also, it turns out that the "%400,404a" is erroneous. This was a mistake on my part that stemmed from misunderstanding of the Apache documentation. It's better just to use %a there, since adding the "400,404" in the middle can create a malformed command in certain unusual circumstances. (No harm will be done, though.) By the way, Apache runs its master process as root and demotes all the others it spawns to a uid of your choosing. The master process opens the log files, so yes, the command is run as root. Note that no user input is used in the command, so it's not possible to execute a command of your choosing via this mechanism. --Brett At 03:46 PM 11/8/2001, Peter W wrote: >This is very cool stuff. So I can get someone to view an HTML page|email >with code like <IMG alt="" height="0" width="0" hspace="0" vspace="0" >src="http://brettglass.example.com/winnt/system32/cmd.exe";>, I can easily >prevent them, or anyone else coming from the same space, from reaching your >Web server. Get some AOL users to read the messages and bye-bye to all the >AOL proxy server traffic. Get lots of usenet "victims", and even if they >don't care about your Web site, man, your routing table suddenly looks bad. > >Very (un)cool. > >-Peter > >P.S. If that exec sh route thing actually works, does that mean your httpd >is running as root?
