Vulnerability Development mailing list archives
Re: Passing (poison) nulls in cookies
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Wed, 16 May 2001 01:01:58 +0200 (MET DST)
On Mon, 14 May 2001, Max Vision wrote:
Since no one answered this I thought I'd share what I know about it. It looks like the show-stopper is indeed with environment variables. You can send nulls in cookies and it doesn't appear that apache does anything to filter them. However perl uses a bash-type shell by default, which to the best of my understanding will always truncate an environment variable on a null.
Bash or "bash environment" is not involved when CGI programs are invoked (unless the program in question is a script interpreted by bash). What is involved is execve() system call: its specification says the environment is a list of zero-terminated strings, ergo no string including '\0' can ever be passed via an environment variable to another program.
Here was what I saw: bash,zsh: truncates at the null, "hi\x00there" becomes "hi" csh,tcsh: converts null to space, "hi\x00there" becomes "hi there" ash,ksh: removes the null, "hi\x00there" becomes "hithere"
The results of your tests are interesting but irrelevant unless the value is read from an open file descriptor. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: Passing (poison) nulls in cookies Pavel Kankovsky (May 15)
- <Possible follow-ups>
- Re: Passing (poison) nulls in cookies Chuck D. Phillips (May 15)