WebApp Sec mailing list archives
Exploits from command line?
From: "Benjamin Livshits" <livshits () cs stanford edu>
Date: Tue, 18 Jan 2005 12:49:47 -0800
I've come upon some cases in large Web-base applications where the errors such SQL injection and XSS are found in codes that are not accessible by Web users. For instance, some applications include a few sloppily written maintenance programs that are invoked from the command line as well as Ant tasks that are supposed to be invoked by the application administrator. On the surface, these errors are probably pretty irrelevant, as an attacker that has the permissions to run the application from the command line is already in some sense in the system and can cause more damage elsewhere. Is this the right assessment or are there situations where the ability to perform SQL injections from the command line is in fact somehow dangerous? Thanks, -Ben
Current thread:
- Is this expoitable via sql injection? Nils Gundelach (Jan 14)
- Re: Is this expoitable via sql injection? Rogan Dawes (Jan 15)
- Re: Is this expoitable via sql injection? Nils Gundelach (Jan 16)
- Exploits from command line? Benjamin Livshits (Jan 19)
- Re: Exploits from command line? Antoine Martin (Jan 23)
- Re: Is this expoitable via sql injection? Nils Gundelach (Jan 16)
- Re: Is this expoitable via sql injection? Rogan Dawes (Jan 15)