[3344] in bugtraq
Re: BUG in /bin/bash
daemon@ATHENA.MIT.EDU (Roger Espel Llima)
Fri Sep 13 13:17:04 1996
Date: Fri, 13 Sep 1996 11:24:05 +0200
Reply-To: Roger Espel Llima <espel@clipper.ens.fr>
From: Roger Espel Llima <espel@clipper.ens.fr>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <m0utYUU-000RhxC@sec.de> from "Seven Up" at Aug 22, 96 11:44:26 am
>> VULNERABILITY: A variable declaration error in "bash" allows the character
>> with value 255 decimal to be used as a command separator.
That reminds me of a similar "little-known feature" on SunOS and
Solaris, where /bin/sh interprets '^' as a synonym for '|' :
$ sh -c 'echo blah ^ cat'
blah
Again this could be exploited to fool CGI scripts (and ircII scripts
too) which execute shell commands with user-supplied data, after
checking for things like ';', '|' and '&'.
-Roger
--
e-mail: roger.espel.llima@ens.fr
WWW & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
