Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Exploits from command line?
From: Benjamin Livshits (livshitscs.stanford.edu)
Date: Tue Jan 18 2005 - 14:49:47 CST
I've come upon some cases in large Web-base applications where the
errors such SQL injection and XSS are found in codes that are not
accessible by Web users. For instance, some applications include a few
sloppily written maintenance programs that are invoked from the command
line as well as Ant tasks that are supposed to be invoked by the
On the surface, these errors are probably pretty irrelevant, as an
attacker that has the permissions to run the application from the
command line is already in some sense in the system and can cause more
damage elsewhere. Is this the right assessment or are there situations
where the ability to perform SQL injections from the command line is in
fact somehow dangerous?