mailing list archives
Re: Vulnerability in Glimpse HTTP
From: m.pool () PHAROS COM AU (Martin Pool)
Date: Thu, 10 Jul 1997 23:53:35 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Date: Wed, 9 Jul 1997 13:00:07 -0600
From: Oliver Friedrichs <oliverf () SILENCE SECNET COM>
^ (acts as pipe under some shells)
\n (acts as shell delimeter)
\ (in the esc_chars version of the function, this allows \; to
be escaped as \\;, then unescaped by shell into \; again.)
This should be somewhat distrubing as a rather fearful number of
people have read that document and only a very few have actually
noticed these oversights. I certainly hope the majority of programmers
This is true, however in the context of this particular bug (Glimpse) this
isn't the case. The reason for this being that open() in perl does not
honour these escape characters.
I think perl just passes the string to the shell program (set at
compile time?) which is usually /bin/sh. So, most shells will
interpret a linefeed or semicolon as a command separator, and some may
take ^ as a pipe.
$ perl -e 'open FOO, "echo \$RANDOM\ndate\;id|"; print <FOO>;'
Fri Jul 11 09:52:20 EST 1997
uid=500(mbp) gid=500(mbp) groups=...
Martin Pool <m.pool () pharos com au>
Pharos Business Solutions
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----