[7535] in bugtraq
Re: PATCH: faxsurvey
daemon@ATHENA.MIT.EDU (Illuminatus Primus)
Wed Aug 5 16:07:59 1998
Date: Wed, 5 Aug 1998 14:31:45 -0400
Reply-To: Illuminatus Primus <vermont@GATE.NET>
From: Illuminatus Primus <vermont@GATE.NET>
X-To: Sir Syko <sirsyko@BLEEP.ISHIBOO.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980804170704.18360.qmail@bleep.ishiboo.com>
On Tue, 4 Aug 1998, Sir Syko wrote:
>
> how does your "patch" do anything except break the cgi? You are telling perl to
> eval the ECHO command which doesnt exist. Also, the quotes still arent properly
> terminated.
>
> > +eval "ECHO "$QUERY_STRING" | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'"
> >
>
> should you not make this:
>
> eval "$ECHO \'$QUERY_STRING\' | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'"
>
Actually, both "fixes" will break the CGI. It appears that this script (a
bash script) is using the unquote program (part of the hylafax
distribution) to parse the query string into a format similar to:
key1=value1
key2=value2
.. which bash then evals to set the corresponding variables within the
script. Obviously, this is incredibly insecure. There are also many
other portions of the script that could be easily exploited..
The best thing to do is to either remove it, or completely rewrite it.
