On Sat, Nov 16, 2002 at 01:44:15AM -0800, Nick Jacobsen wrote: > Have you considered including qoute characters in the HTTP_USER_AGENT field? > like so: > $HTTP_USER_AGENT = "" | cat "/etc/passwd" > if you do this, the ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` stirng will > come out looking like the following: > ua=`echo "" | cat "/etc/passwd" | sed "s#\;##g"` > all you are doing is terminating the echo text with a qoute character, and > then adding another qoute character before the filename so that the command > will be interpreted correctly... > Let me know if this works, but it should... That would require your string to be expanded twice, just like all the other examples that don't do anything bad. echo doesn't expand its arguments, and the shell only expands variables once. It doesn't matter what you set $HTTP_USER_AGENT to. It's quoted. The worst that you can do with that code snippet is to pass a goofy looking value to sed via stdin. If you're looking for something to exploit, look at how the variable $ua is used later on in the script. -- Ed Schmollinger - schmolliat_private
This archive was generated by hypermail 2b30 : Sun Nov 17 2002 - 21:50:12 PST