Hosting Provided By

Re: shell script cgi

From: c jones <ojnes33(at)yahoo.com>
Date: Fri Nov 15 2002 - 11:26:44 EST

Answering two messages in one...

Ian Stoba <ian@babcockbrown.com> wrote:
> Sorry to state the obvious, but you know that the
> HTTP_USER_AGENT is
> set in the headers and not in the request, right?

Correct. I am explicitly setting the value (although I did try to use arguments to the CGI so I could reference $*, but that didn't get me anywhere).

Brian Hatch <vuln-dev@ifokr.org> wrote:
> Anyone else remembering the 'nph-finger' days of

Okay... my testing with this is telling that this is true, but... why? Where is the protection coming from--the fact that HTTP_USER_AGENT is an environment variable? It seems that if I set the value *in* the script it terminates the echo command & executes what I want it to, but if it comes from the environment it interprets it as a string and that's it.

I searhed the Neohapsis/SF archives for nph-finger but couldn't find any history there...

I suppose I should have put this in my first message, but here's a general sample of what I'm trying to put into the HTTP_USER_AGENT field (for testing trying to cat the passwd file to /tmp)(I've tried a million variations trying to terminate that first echo): "|cat /etc/passwd>/tmp/passwd|echo "

Thanks for you help

Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com Received on Sat Nov 16 02:31:52 2002

This message: [ Message body ]
Next message: Philip Rowlands: "Re: shell script cgi"
In reply to Brian Hatch: "Re: shell script cgi"
Next in thread: Philip Rowlands: "Re: shell script cgi"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT