1995-09-19 - Re: NYT on Netscape Crack

Header Data

From: sameer <sameer@c2.org>
To: adam@lighthouse.homeport.org (Adam Shostack)
Message Hash: 8dd321939ebecdceff35957085871c1c9d488188da727bf7629c5a4e065e65dc
Message ID: <199509191355.GAA26932@infinity.c2.org>
Reply To: <199509191349.JAA04365@homeport.org>
UTC Datetime: 1995-09-19 14:00:23 UTC
Raw Date: Tue, 19 Sep 95 07:00:23 PDT

Raw message

From: sameer <sameer@c2.org>
Date: Tue, 19 Sep 95 07:00:23 PDT
To: adam@lighthouse.homeport.org (Adam Shostack)
Subject: Re: NYT on Netscape Crack
In-Reply-To: <199509191349.JAA04365@homeport.org>
Message-ID: <199509191355.GAA26932@infinity.c2.org>
MIME-Version: 1.0
Content-Type: text/plain


> 	Don't forget system(), which was a major source of holes in the NCSA server.  
> Also, CGI scripts, especially those that run under perl or sh, would be a good 
> place to look for holes.  Don't forget to see what happens when you put 
> semi-colons in the data field of various fields, such as mailto:'s.
> 

	A CGI-script hole doesn't count as a netscape server hole.
system() is probably pretty bad though. 

-- 
sameer						Voice:   510-601-9777
Community ConneXion				FAX:	 510-601-9734
An Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org (or login as "guest")			sameer@c2.org




Thread