Jakub Wilk's URL exploit
Recently Jakub Wilk made a curious blog post. It consists solely of a link.
Since the URL contains a shell script I was wondering what the purpose was - a browser wouldn't execute that shell code, right?
But then I got it: the target of this "exploit URL" is the command line or, respectively, automatic shell scripts.
If used unquoted on the command line, the URL - containing shell metacharacters - will actually execute commands.
The same will happen if that URL is accessed unquoted in some shell script (f.ex. link checking scripts, spiders, or scripts that use a web service).
Tomáš Pospíšek, 2015-09-22