Bugtraq mailing list archives
Re: BUG in /bin/bash
From: Dan_Thorson () notes seagate com (Dan Thorson)
Date: Mon, 16 Sep 1996 22:52:12 -0400
I've tried Solaris 2.5 (unpatched) with the same results. I'll report on 2.5 using recommended patches if I see anything different.
Solaris 2.4 Debian linux 1.1 Irix 5.2 OSF/1 3.2 SunOS 4.1.1 Ultrix 4.2
Roger Espel Llima wrote:VULNERABILITY: A variable declaration error in "bash" allows the
character
with value 255 decimal to be used as a command separator.That reminds me of a similar "little-known feature" on SunOS and Solaris, where /bin/sh interprets '^' as a synonym for '|' : $ sh -c 'echo blah ^ cat' blah
.> Again this could be exploited to fool CGI scripts (and ircII scripts
too) which execute shell commands with user-supplied data, after checking for things like ';', '|' and '&'.
Current thread:
- Re: BUG in /bin/bash Roger Espel Llima (Sep 13)
- Re: BUG in /bin/bash Yiorgos Adamopoulos (Sep 13)
- Re: BUG in /bin/bash Julian Assange (Sep 13)
- Re: BUG in /bin/bash Alan Cox (Sep 14)
- Re: BUG in /bin/bash Aggelos P. Varvitsiotis (Sep 16)
- <Possible follow-ups>
- Re: BUG in /bin/bash Eugene Bradley (Sep 13)
- Re: BUG in /bin/bash Dan Stromberg (Sep 14)
- Re: BUG in /bin/bash Alan Cox (Sep 17)
- CERT Vendor-Initiated Bulletin VB-96.16 - Transarc Corp. CERT Bulletin (Sep 17)
- Re: BUG in /bin/bash Dan Thorson (Sep 16)
- Re: sh and ^ bitblt () cybercom net (Sep 17)
- Re: BUG in /bin/bash Yiorgos Adamopoulos (Sep 13)