Vulnerability Development mailing list archives
Re: shell script cgi
From: "Nick Jacobsen" <nick () ethicsdesign com>
Date: Sat, 16 Nov 2002 01:44:15 -0800
Have you considered including qoute characters in the HTTP_USER_AGENT field? like so: $HTTP_USER_AGENT = "" | cat "/etc/passwd" if you do this, the ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` stirng will come out looking like the following: ua=`echo "" | cat "/etc/passwd" | sed "s#\;##g"` all you are doing is terminating the echo text with a qoute character, and then adding another qoute character before the filename so that the command will be interpreted correctly... Let me know if this works, but it should... Nick Jacobsen Ethics Design nick () ethicsdesign com ----- Original Message ----- From: "Philip Rowlands" <phr () doc ic ac uk> To: <vuln-dev () securityfocus com> Sent: Thursday, November 14, 2002 4:23 PM Subject: Re: shell script cgi
On Thu, 14 Nov 2002, c jones wrote:I have found the line below in an sh cgi program, and believe I can pass a command to the shell but can't seem to get it to work right.[snip]ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`The quotes around HTTP_USER_AGENT prevent any "chained commands", e.g. 'Mozilla 6; rm -rf /'. Perhaps you're confusing the backticks; they execute the line given in the script, not the result of the 'echo ...; sed'. I don't see any way here to manipulate the input to execute arbitrary code. Cheers, Phil
Current thread:
- shell script cgi c jones (Nov 14)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi c jones (Nov 15)
- Re: shell script cgi Philip Rowlands (Nov 16)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Ed Schmollinger (Nov 17)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi (summary?) Brian Fury (Nov 19)
- Re: shell script cgi (summary?) Andre Breiler (Nov 20)
- Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
- Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- <Possible follow-ups>
- RE: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 16)
