Vulnerability Development mailing list archives

Re: shell script cgi

From: mlh <mlh () zip com au>
Date: Sun, 17 Nov 2002 09:48:37 +1100



I'm convinced there is no way in this particular
statement, given that the var is in quotes.

All you're doing after all is echoing it, which
only does one level of interpretation, which in
this case is removing the quuotes.


Of course, some values may be more dangerous
for statements further on in the code.

e.g.
HTTP_USER_AGENT='`cat /etc/passwd`'


Matt

Current thread:

Re: shell script cgi (summary?), (continued)
- - Re: shell script cgi (summary?) c jones (Nov 18)
    - Re: shell script cgi (summary?) Brian Fury (Nov 19)
    - Re: shell script cgi (summary?) Andre Breiler (Nov 20)
    - Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
    - Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- RE: shell script cgi Rajko Zschiegner (Nov 16)
  - Re: shell script cgi Brian Hatch (Nov 16)
    - Re: shell script cgi Ralf Dreibrodt (Nov 17)
  - Re: shell script cgi mlh (Nov 18)