> Thanks to everyone who replied regarding my attempts > to stuff shell commands into this line: > > > ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` > > The summary is that no matter what time of " ' ` > characters, shell commands, or termination or escape > characters I tried to put into the $HTTP_USER_AGENT > field I can't get it to execute commands. It's a > surprisingly resilient line of code, most likely due > to the "s around the $HTTP_USER_AGENT variable. I > wouldn't call this type of programming "safe", but > it's not *nearly* as bad as I thought at first. I don't know what bad vibes you're getting here. You call it 'suprisingly resilient' and 'not nearly as bad' as you thought. But the fact is it's acting exactly the way it should and is in no way exploitable. It's not just "not nearly as bad" - it's rock solid. This doesn't mean it's pretty or elegant, but it's the only real way to do it in shell. Yes, we could easily write better versions if this were in Perl or C, avoiding any external system() like calls. But this simply works fine. > The $ua variable is not ever used again so there's no > other opportunity to exploit it. This is the crucial point though. The line above cannot be exploited. But if $ua were used somewhere else, the result of the line above may be abused in later uses of the variable. > .. it's a very useless > line of code which should be removed anyway--it just > looks very exploitable (and may be by someone out > there ;). I will go so far as to say that the "ua=..." assignment above *cannot* and will not every be exploitable on a Bourne shell variant that acts properly and isn't broken itself. This isn't an issue of timeline. You can't break that line of shell. -- Brian Hatch #define QUESTION \ Systems and ((bb) || !(bb)) Security Engineer http://www.ifokr.org/bri/ Every message PGP signed
This archive was generated by hypermail 2b30 : Tue Nov 19 2002 - 22:42:05 PST