Vulnerability Development mailing list archives
Re: Serious Hole in Comment/Discussion CGI Script
From: Taneli Huuskonen <huuskone () CC HELSINKI FI>
Date: Sun, 29 Oct 2000 15:53:04 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joe <joe () blarg net> wrote: [...]
Null byte only works if the script decodes the url-encoded characters in the
query string, which the script is not doing. Hence, although you can grab
any '.txt' file, there's no way to inject control characters or whitespace
into the query string, which limits the damage you can do.
The open() call can be injected with a pipe ('|') to execute commands, but
without whitespace to work with there's not much you can do with it.
[...]
There's the old ${IFS} trick to get around that:
$file='touch${IFS}foo|';
open( FOO, $file );
Taneli Huuskonen
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBOfwrtF+t0CYLfLaVEQKTlQCeNIBt2qBChmcUcjgtTBLnXOcK/iEAoIM1
5WQGnXYfM6Ekkth26hICfwen
=bjin
-----END PGP SIGNATURE-----
--
I don't | All messages will be PGP signed, | Fight for your right to
speak for | encrypted mail preferred. Keys: | use sealed envelopes.
the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
Current thread:
- Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Joe (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Taneli Huuskonen (Oct 31)
- <Possible follow-ups>
- FW: Serious Hole in Comment/Discussion CGI Script Richard Bartlett (Oct 28)
- Re: FW: Serious Hole in Comment/Discussion CGI Script Bluefish (P.Magnusson) (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)