Have you considered including qoute characters in the HTTP_USER_AGENT field? like so: $HTTP_USER_AGENT = "" | cat "/etc/passwd" if you do this, the ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` stirng will come out looking like the following: ua=`echo "" | cat "/etc/passwd" | sed "s#\;##g"` all you are doing is terminating the echo text with a qoute character, and then adding another qoute character before the filename so that the command will be interpreted correctly... Let me know if this works, but it should... Nick Jacobsen Ethics Design nickat_private ----- Original Message ----- From: "Philip Rowlands" <phrat_private> To: <vuln-devat_private> Sent: Thursday, November 14, 2002 4:23 PM Subject: Re: shell script cgi > On Thu, 14 Nov 2002, c jones wrote: > > >I have found the line below in an sh cgi program, and believe I can > >pass a command to the shell but can't seem to get it to work right. > [snip] > >ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` > > The quotes around HTTP_USER_AGENT prevent any "chained commands", e.g. > 'Mozilla 6; rm -rf /'. > > Perhaps you're confusing the backticks; they execute the line given in > the script, not the result of the 'echo ...; sed'. > > I don't see any way here to manipulate the input to execute arbitrary > code. > > > Cheers, > > Phil >
This archive was generated by hypermail 2b30 : Sat Nov 16 2002 - 22:39:21 PST