Vulnerability Development mailing list archives
Re: shell script cgi (summary?)
From: c jones <ojnes33 () yahoo com>
Date: Mon, 18 Nov 2002 10:58:24 -0800 (PST)
Thanks to everyone who replied regarding my attempts to stuff shell commands into this line:
ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`
The summary is that no matter what time of " ' ` characters, shell commands, or termination or escape characters I tried to put into the $HTTP_USER_AGENT field I can't get it to execute commands. It's a surprisingly resilient line of code, most likely due to the "s around the $HTTP_USER_AGENT variable. I wouldn't call this type of programming "safe", but it's not *nearly* as bad as I thought at first. The $ua variable is not ever used again so there's no other opportunity to exploit it... it's a very useless line of code which should be removed anyway--it just looks very exploitable (and may be by someone out there ;). Thanks again to everyone that responded, it was very much appreciated & got me thinking in all sorts of different directions. Regards __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com
Current thread:
- shell script cgi c jones (Nov 14)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi c jones (Nov 15)
- Re: shell script cgi Philip Rowlands (Nov 16)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Ed Schmollinger (Nov 17)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi (summary?) Brian Fury (Nov 19)
- Re: shell script cgi (summary?) Andre Breiler (Nov 20)
- Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
- Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- <Possible follow-ups>
- RE: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 16)
- Re: shell script cgi Ralf Dreibrodt (Nov 17)
- Re: shell script cgi mlh (Nov 18)
- Re: shell script cgi Brian Hatch (Nov 16)