mailing list archives
Re: BUG in /bin/bash
From: strombrg () hydra acs uci edu (Dan Stromberg)
Date: Sat, 14 Sep 1996 13:33:14 -0700
This worked on all the unix variants I tried except debian linux, which
uses bash for sh instead of "the real sh". I no longer have a copy of
ash to try.
Debian linux 1.1
Sure sounds like this interpretation of ^ comes from upstream...
Roger Espel Llima wrote:
VULNERABILITY: A variable declaration error in "bash" allows the character
with value 255 decimal to be used as a command separator.
That reminds me of a similar "little-known feature" on SunOS and
Solaris, where /bin/sh interprets '^' as a synonym for '|' :
$ sh -c 'echo blah ^ cat'
Again this could be exploited to fool CGI scripts (and ircII scripts
too) which execute shell commands with user-supplied data, after
checking for things like ';', '|' and '&'.
e-mail: roger.espel.llima () ens fr
WWW & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html