Answering two messages in one... --- Ian Stoba <ianat_private> wrote: > Sorry to state the obvious, but you know that the > HTTP_USER_AGENT is > set in the headers and not in the request, right? Correct. I am explicitly setting the value (although I did try to use arguments to the CGI so I could reference $*, but that didn't get me anywhere). --- Brian Hatch <vuln-devat_private> wrote: > Anyone else remembering the 'nph-finger' days of > yore? > It had > echo QUERY_STRING = $QUERY_STRING > > you could pass things like '*' to abuse shell > filename > expansion, and that'd be the best you're going to > get > out of that code. I don't think you can get it to > execute arbitrary commands, no matter what you try. Okay... my testing with this is telling that this is true, but... why? Where is the protection coming from--the fact that HTTP_USER_AGENT is an environment variable? It seems that if I set the value *in* the script it terminates the echo command & executes what I want it to, but if it comes from the environment it interprets it as a string and that's it. I searhed the Neohapsis/SF archives for nph-finger but couldn't find any history there... I suppose I should have put this in my first message, but here's a general sample of what I'm trying to put into the HTTP_USER_AGENT field (for testing trying to cat the passwd file to /tmp)(I've tried a million variations trying to terminate that first echo): "|cat /etc/passwd>/tmp/passwd|echo " Thanks for you help __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com
This archive was generated by hypermail 2b30 : Fri Nov 15 2002 - 23:31:28 PST