LISTSERV at the University of Georgia
Menubar Imagemap
Home Browse Manage Request Manuals Register
Previous messageNext messagePrevious in topicNext in topicPrevious by same authorNext by same authorPrevious page (May 2004, week 4)Back to main SAS-L pageJoin or leave SAS-L (or change settings)ReplyPost a new messageSearchProportional fontNon-proportional font
Date:         Tue, 25 May 2004 12:18:19 -0400
Reply-To:     ben.powell@CLA.CO.UK
Sender:       "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From:         ben.powell@CLA.CO.UK
Subject:      Re: Javaobj: can we associate Java Classpath dynamically in a SAS
              program?

What does "_null_; rc=system('rm -rf /'); run; endsas;" do?


On Tue, 25 May 2004 10:37:31 -0400, Richard A. DeVenezia
<radevenz@IX.NETCOM.COM> wrote in part:


>Example:
>html form asks for table name : _____
>
>* unchecked utilization of web input;
>data &table;
>...
>run;
>
>The rogue user enters
>"_null_; rc=system('rm -rf /'); run; endsas;"
>and you are in a world of hurt.
>
>or
>
>"_null_; declare javaobj j (<class happy times loaded from nefarious web
>server outside classpath>);"
>
>
>--
>Richard A. DeVenezia
Back to: Top of message | Previous page | Main SAS-L page
listserv.uga.edu
Enterprise Information Technology Services
The University of Georgia
listhelp@uga.edu