Pantek Library

Hosting Provided By

CybrHost

High Speed Hosting

Re: shell script cgi

From: Philip Rowlands <phr(at)doc.ic.ac.uk>
Date: Thu Nov 14 2002 - 19:23:46 EST

On Thu, 14 Nov 2002, c jones wrote:

>I have found the line below in an sh cgi program, and believe I can
[snip]
>ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`

The quotes around HTTP_USER_AGENT prevent any "chained commands", e.g. 'Mozilla 6; rm -rf /'.

Perhaps you're confusing the backticks; they execute the line given in the script, not the result of the 'echo ...; sed'.

I don't see any way here to manipulate the input to execute arbitrary code.

Cheers,

Phil Received on Sat Nov 16 04:14:07 2002

This message: [ Message body ]
Next message: Rajko Zschiegner: "Re: shell script cgi"
Previous message: c jones: "Re: shell script cgi"
In reply to: c jones: "shell script cgi"
In reply to Brian Hatch: "Re: shell script cgi"
Next in thread: Nick Jacobsen: "Re: shell script cgi"
Reply: Nick Jacobsen: "Re: shell script cgi"
Reply: c jones: "Re: shell script cgi (summary?)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT

Do you need help?

Contact Us Legal Notices Order Services Online
Pantek Home Privacy Policy IT news Site Map Pantek Library