Have you considered including qoute characters in the HTTP_USER_AGENT field?
like so:
$HTTP_USER_AGENT = "" | cat "/etc/passwd"
if you do this, the ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` stirng will
come out looking like the following:
ua=`echo "" | cat "/etc/passwd" | sed "s#\;##g"`
all you are doing is terminating the echo text with a qoute character, and
then adding another qoute character before the filename so that the command
will be interpreted correctly...
Let me know if this works, but it should...
Nick Jacobsen
Ethics Design
nick_at_ethicsdesign.com
----- Original Message -----
From: "Philip Rowlands" <phr_at_doc.ic.ac.uk>
To: <vuln-dev_at_securityfocus.com>
Sent: Thursday, November 14, 2002 4:23 PM
Subject: Re: shell script cgi
> On Thu, 14 Nov 2002, c jones wrote:
>
> >I have found the line below in an sh cgi program, and believe I can
> >pass a command to the shell but can't seem to get it to work right.
> [snip]
> >ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`
>
> The quotes around HTTP_USER_AGENT prevent any "chained commands", e.g.
> 'Mozilla 6; rm -rf /'.
>
> Perhaps you're confusing the backticks; they execute the line given in
> the script, not the result of the 'echo ...; sed'.
>
> I don't see any way here to manipulate the input to execute arbitrary
> code.
>
>
> Cheers,
>
> Phil
>
Received on Nov 17 2002
Intro
