CGI and DestroyStack property
J. Landman Gay
jacque at hyperactivesw.com
Fri Apr 28 19:28:57 CDT 2006
Tariel Gogoberidze wrote:
>> You can do it if you keep the stack somewhere else outside of the CGI
>> folder, but I hear that can be a security risk (though I'm not sure how
>> exactly, but someone wrote me once with very strong opinions about it.)
>
> Probably because it opens the door to what's usually called "executing
> arbitrary code on remote computer" :)
Right, that's what they said, but I don't see how it could be done. The
CGI would only write specific data to a specific stack, and there isn't
any way to make it behave differently by sending commands to it. As long
as your CGI only operates on valid input, how could someone execute code?
The only way a CGI could be misused that way is if it contained a line
of script like:
do the params
which would be a really stupid thing to include. I can't think how a MC
CGI could be abused without something like that in it.
--
Jacqueline Landman Gay | jacque at hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
More information about the metacard
mailing list