Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Vulnerability in Glimpse HTTP
From: m.pool () PHAROS COM AU (Martin Pool)
Date: Thu, 10 Jul 1997 23:53:35 -0000


-----BEGIN PGP SIGNED MESSAGE-----

Date:         Wed, 9 Jul 1997 13:00:07 -0600
From: Oliver Friedrichs <oliverf () SILENCE SECNET COM>

They are...

  ^ (acts as pipe under some shells)
 \n (acts as shell delimeter)
  \ (in the esc_chars version of the function, this allows \; to
     be escaped as \\;, then unescaped by shell into \; again.)

This should be somewhat distrubing as a rather fearful number of
people have read that document and only a very few have actually
noticed these oversights.  I certainly hope the majority of programmers

This is true, however in the context of this particular bug (Glimpse) this
isn't the case.  The reason for this being that open() in perl does not
honour these escape characters.

I think perl just passes the string to the shell program (set at
compile time?) which is usually /bin/sh.  So, most shells will
interpret a linefeed or semicolon as a command separator, and some may
take ^ as a pipe.

For example,

  $ perl -e 'open FOO, "echo \$RANDOM\ndate\;id|"; print <FOO>;'
  18773
  Fri Jul 11 09:52:20 EST 1997
  uid=500(mbp) gid=500(mbp) groups=...

- --
Martin Pool <m.pool () pharos com au>
Pharos Business Solutions

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.pharos.com.au/mbp/public_key.txt

iQB1AwUBM8V19Tr8By6pblTZAQEO1wL6A7LujtV5a0O6R1DiCQoGRkbjK0qUVNTY
5A8xZc4aZhHGBTpKIQp8k3mZB0TLoN4T8oqYoCq2AEcRUIo2N6DpZ330mRvujxtO
bell4Nae2XU4RIHOjCSIKrRA2j1duLe1
=Y0vB
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault