|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brian Hatch (vuln-dev_at_ifokr.org)
Date: Thu Nov 14 2002 - 17:15:54 CST
> I have found the line below in an sh cgi program, and
> believe I can pass a command to the shell but can't
> seem to get it to work right. No matter what I try as
> the HTTP_USER_AGENT it interprets it as a string in
> the echo command & I can't get it to break it into a
> new command. Nothing is done to HTTP_USER_AGENT before
> this line...it's just reading it directly from the
> environment.
>
> Any help you may have is very much appreciated.
>
> Thanks
>
> ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`
Anyone else remembering the 'nph-finger' days of yore?
It had
echo QUERY_STRING = $QUERY_STRING
you could pass things like '*' to abuse shell filename
expansion, and that'd be the best you're going to get
out of that code. I don't think you can get it to
execute arbitrary commands, no matter what you try.
-- Brian Hatch Behavioral Psychology: Systems and Pulling habits out of rats Security Engineer http://www.ifokr.org/bri/Every message PGP signed
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj3ULqoACgkQp6D9AhxzHxBqBQCffsf2eAqOvDQ8BA3Io4m5eVon gGgAnj50pAE2x/pnzjR6qdwr4fo4LARK =5RfR -----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]