Full Disclosure mailing list archives

Re: Re: Gaim festival plugin exploit

From: merlyn () stonehenge com (Randal L. Schwartz)
Date: 23 Oct 2003 17:03:08 -0700

"Dale" == Dale Harris <rodmur () maybe org> writes:


Dale> So let me guess  open FEST "|..." uses popen(), right?

No, it doesn't.  It uses its own code, which looks at the string
to see if there are shell constructs, and if not, avoids the
shell by parsing whitespace and args on its own.


-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn () stonehenge com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Gaim festival plugin exploit, (continued)
- Re: Gaim festival plugin exploit HCTITS Security Division (Oct 17)
  - Re: Re: Gaim festival plugin exploit Cael Abal (Oct 17)
    - Re: [Cert-lists] Re: Re: Gaim festival plugin exploit Georg Moritz (Oct 20)
  - Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 20)
    - Re: Re: Gaim festival plugin exploit Brian Hatch (Oct 23)
    - Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
    - RE: Re: Gaim festival plugin exploit Scott Phelps / Dreamwright Studios (Oct 23)
    - Re: Re: Gaim festival plugin exploit Dale Harris (Oct 23)
    - Re: Re: Gaim festival plugin exploit Shawn McMahon (Oct 23)
    - Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
    - Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
  - Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 20)
  - Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 20)