Thank you for sharing this. I was unaware of this category of attack. After having read the article, I’m surprised people write so much about SQL injections, XSS, etc. and never about this.
Probably because in-order to do these attacks you need a fair bit of privileges on the system already. And calling through directly to command line apps from something like a webpage is already considered bad practice.
I was thinking of another scenario, where a misprogrammed web application would permit the attacker to save arbitrary filenames on the server, and some time later the admin of the server would run a command using wildcards, for example to delete a directory containing the attacker file, without knowing the “bad” file is there because it is “hidden” in a large mass of otherwise correct files.
And this is why you should properly escape input, such as using getopt()’s double-hyphen ‘–’ (I know the markdown is going to change that into a long-hyphen) to signify the end of the options.
Thank you for sharing this. I was unaware of this category of attack. After having read the article, I’m surprised people write so much about SQL injections, XSS, etc. and never about this.
Probably because in-order to do these attacks you need a fair bit of privileges on the system already. And calling through directly to command line apps from something like a webpage is already considered bad practice.
I was thinking of another scenario, where a misprogrammed web application would permit the attacker to save arbitrary filenames on the server, and some time later the admin of the server would run a command using wildcards, for example to delete a directory containing the attacker file, without knowing the “bad” file is there because it is “hidden” in a large mass of otherwise correct files.
Yes, certainly possible, but a much less effective attack than, say, SQL injections.
I agree.
And this is why you should properly escape input, such as using getopt()’s double-hyphen ‘–’ (I know the markdown is going to change that into a long-hyphen) to signify the end of the options.
…or prefix every file name wildcard on the shell with
./- globbing will expand that-rfinto./-rf, de-fanging it. (:As sebcat mentioned on HN: “I’m not sure how to put it mildly, but I think you might have been scooped on this some 1-2 decades ago…”
http://seclists.org/fulldisclosure/2014/Jun/136"