Re: shell script cgi

[c jones <ojnes33 () yahoo com>]

Answering two messages in one...

--- Ian Stoba <ian () babcockbrown com> wrote:
> Sorry to state the obvious, but you know that the
> HTTP_USER_AGENT is 
> set in the headers and not in the request, right?

Correct. I am explicitly setting the value (although I
did try to use arguments to the CGI so I could
reference $*, but that didn't get me anywhere).


--- Brian Hatch <vuln-dev () ifokr org> wrote:
> Anyone else remembering the 'nph-finger' days of
> yore?
> It had
>       echo QUERY_STRING = $QUERY_STRING
>
> you could pass things like '*' to abuse shell
> filename
> expansion, and that'd be the best you're going to
> get
> out of that code.  I don't think you can get it to
> execute arbitrary commands, no matter what you try.

Okay... my testing with this is telling that this is
true, but... why? Where is the protection coming
from--the fact that HTTP_USER_AGENT is an environment
variable?  It seems that if I set the value *in* the
script it terminates the echo command & executes what
I want it to, but if it comes from the environment it
interprets it as a string and that's it.

I searhed the Neohapsis/SF archives for nph-finger but
couldn't find any history there... 

I suppose I should have put this in my first message,
but here's a general sample of what I'm trying to put
into the HTTP_USER_AGENT field (for testing trying to
cat the passwd file to /tmp)(I've tried a million
variations trying to terminate that first echo):
"|cat /etc/passwd>/tmp/passwd|echo "

Thanks for you help

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com