Trojan horse possible with news readers
Bill Fenner
wcf at psuhcx.psu.edu
Mon Dec 5 04:47:25 AEST 1988
In article <1261 at vsi1.UUCP> lmb at vsi1.UUCP (Larry Blair) writes:
|In article <6775 at rosevax.Rosemount.COM> merlyn at ernie.rosemount.com writes:
|=Many news reading programs (rn, vnews, others?) allow you include the
|=original text when following-up or replying-to articles. The
|=default editor is usually vi; some versions of vi will execute
|=commands if it sees a line (near the top or bottom of a file)
|=of the form <e><x><:><command><:>
|
|The newsreader I use (rn) prepends a string to the included text.
|I don't believe that those braindamaged versions of vi will execute:
|
|> ex:!sh -c 'echo any command'>/tmp/NEWSBUG:
Mine did... after seeing the above, with both a | and a > in front of it.
It did it when I replied to his message, and it did it when I followed up
to this one.
Lovely.
Bill
--
Bitnet: wcf at psuhcx.bitnet Bill Fenner | "Ain't got no cash,
Internet: wcf at hcx.psu.edu | Ain't got no style
UUCP: {gatech,rutgers}!psuvax1!psuhcx!wcf | Ain't got no girls
Fido: Sysop at 263/42 (814/238 9633) \hogbbs!wcf| To make me smile"
More information about the Comp.unix.wizards
mailing list