There's probably a very simple explanation for this, but here 'goes: I have a few CGI scripts. A couple of them make system() calls to launch shell scripts. These scripts work fine on the command line, but when I launch the exact same script by visiting it in my browser, the page loads indefinitely. I think this indicates a permissions problem. Is there anything I can do to circumvent this? The server I'm running on is one I don't control.
on 2006-04-06 20:11
on 2006-04-06 21:09
Okay, after much searching, I've discovered that the string I'm passing to system() is tainted because it comes from POST data. I suppose entering "`rm *`" in to any field WOULD be bad news. Lesson learned!