[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: Infobot bug.]

Date: Wed, 01 Nov 2000 14:09:41 -0500
From: Kevin Lenzo <lenzo@cs.cmu.edu>
Subject: [Fwd: Infobot bug.]


This will be fixed in the forthcoming update.

kevin

Date: Tue, 31 Oct 2000 13:33:54 +0000
From: David Leadbeater <dgl@dgl.cx>
Subject: Infobot bug.

I would of posted this to the mailing list but the majordomo won't send me an
auth code.
Using 0.44.3 with the fortran maths enabled opens a security bug in that the
output is sent to the shell so it is possible to get the output of a simple
command (spaces are stripped), for example:
<werdfs> urlbot calc |id|cat|
<urlbot> uid=500(dgl) gid=500(dgl) groups=500(dgl)
<werdfs> urlbot calc |hostname|cat|
<urlbot> titan.dgl.cx

Here is the patch for Math.pl
43c43
<           open(P, "echo '$parm'|bc 2>&1 |");
---
>           open(P, "echo $parm|bc 2>&1 |");

-- 
-=[ David Leadbeater ]-=-[ dgl@dgl.cx ]-=-[ http://dgl.cx/ ]=-

Prev by Date: Re: How to contribute to infobot?
Next by Date: problem installing infobot
Prev by thread: @#$!
Next by thread: [Fwd: status of 0.50 (1.0? 0.99?)]
Index(es):
- Date
- Thread