Vulnerability Development mailing list archives
Re: shell script cgi
From: mlh <mlh () zip com au>
Date: Sun, 17 Nov 2002 09:48:37 +1100
I'm convinced there is no way in this particular statement, given that the var is in quotes. All you're doing after all is echoing it, which only does one level of interpretation, which in this case is removing the quuotes. Of course, some values may be more dangerous for statements further on in the code. e.g. HTTP_USER_AGENT='`cat /etc/passwd`' Matt
Current thread:
- Re: shell script cgi (summary?), (continued)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi (summary?) Brian Fury (Nov 19)
- Re: shell script cgi (summary?) Andre Breiler (Nov 20)
- Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
- Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- RE: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 16)
- Re: shell script cgi Ralf Dreibrodt (Nov 17)
- Re: shell script cgi mlh (Nov 18)
- Re: shell script cgi Brian Hatch (Nov 16)