Vulnerability Development mailing list archives
Re: shell script cgi
From: c jones <ojnes33 () yahoo com>
Date: Fri, 15 Nov 2002 08:26:44 -0800 (PST)
Answering two messages in one... --- Ian Stoba <ian () babcockbrown com> wrote:
Sorry to state the obvious, but you know that the HTTP_USER_AGENT is set in the headers and not in the request, right?
Correct. I am explicitly setting the value (although I did try to use arguments to the CGI so I could reference $*, but that didn't get me anywhere). --- Brian Hatch <vuln-dev () ifokr org> wrote:
Anyone else remembering the 'nph-finger' days of yore? It had echo QUERY_STRING = $QUERY_STRING you could pass things like '*' to abuse shell filename expansion, and that'd be the best you're going to get out of that code. I don't think you can get it to execute arbitrary commands, no matter what you try.
Okay... my testing with this is telling that this is true, but... why? Where is the protection coming from--the fact that HTTP_USER_AGENT is an environment variable? It seems that if I set the value *in* the script it terminates the echo command & executes what I want it to, but if it comes from the environment it interprets it as a string and that's it. I searhed the Neohapsis/SF archives for nph-finger but couldn't find any history there... I suppose I should have put this in my first message, but here's a general sample of what I'm trying to put into the HTTP_USER_AGENT field (for testing trying to cat the passwd file to /tmp)(I've tried a million variations trying to terminate that first echo): "|cat /etc/passwd>/tmp/passwd|echo " Thanks for you help __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com
Current thread:
- shell script cgi c jones (Nov 14)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi c jones (Nov 15)
- Re: shell script cgi Philip Rowlands (Nov 16)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Ed Schmollinger (Nov 17)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi (summary?) Brian Fury (Nov 19)
- Re: shell script cgi (summary?) Andre Breiler (Nov 20)
- Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
- Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)