Vulnerability Development mailing list archives

Re: shell script cgi

From: Ralf Dreibrodt <ralf () dreibrodt de>
Date: Sun, 17 Nov 2002 16:09:17 +0100

Hi,

here is another try, that sometimes works:

Brian Hatch wrote:

To emulate this, let's set it ourselves in a normal shell:

        bash$ export VAR='`cat /etc/passwd`'
        bash$ echo $VAR
        `cat /etc/passwd`


bash:~# export VAR='-e test\ntest'
bash:~# echo $VAR
test
test
bash:~# echo "$VAR"
-e test\ntest
bash:~# 

well, the "$VAR" means, that $VAR is the first argument for echo.

IMHO there is nothing you can do to execute code in this statement.

bye
ralf

Current thread:

Re: shell script cgi, (continued)
- - - Re: shell script cgi Ed Schmollinger (Nov 17)
  - Re: shell script cgi (summary?) c jones (Nov 18)
    - Re: shell script cgi (summary?) Brian Fury (Nov 19)
    - Re: shell script cgi (summary?) Andre Breiler (Nov 20)
    - Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
    - Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- RE: shell script cgi Rajko Zschiegner (Nov 16)
  - Re: shell script cgi Brian Hatch (Nov 16)
    - Re: shell script cgi Ralf Dreibrodt (Nov 17)
  - Re: shell script cgi mlh (Nov 18)