Re: shell script cgi

[Ed Schmollinger <schmolli () frozencrow org>]

On Sat, Nov 16, 2002 at 01:44:15AM -0800, Nick Jacobsen wrote:
> Have you considered including qoute characters in the HTTP_USER_AGENT field?
> like so:
> $HTTP_USER_AGENT = "" | cat "/etc/passwd"
> if you do this, the ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` stirng will
> come out looking like the following:
> ua=`echo "" | cat "/etc/passwd" | sed "s#\;##g"`
> all you are doing is terminating the echo text with a qoute character, and
> then adding another qoute character before the filename so that the command
> will be interpreted correctly...
> Let me know if this works, but it should...

That would require your string to be expanded twice, just like all the
other examples that don't do anything bad.  echo doesn't expand its
arguments, and the shell only expands variables once.

It doesn't matter what you set $HTTP_USER_AGENT to.  It's quoted.  The
worst that you can do with that code snippet is to pass a goofy looking
value to sed via stdin.  If you're looking for something to exploit,
look at how the variable $ua is used later on in the script.

-- 
Ed Schmollinger - schmolli () frozencrow org

Attachment: _bin
Description: