Famous last words: "surely this CGI script is safe"
dsr at tao.merseine.nu
dsr at tao.merseine.nu
Mon Mar 31 17:42:11 EST 2003
On Mon, Mar 31, 2003 at 04:45:18PM -0500, Seth Gordon wrote:
> I've composed this CGI shell script as an example of backlink-tracing:
>
> [begin]
> #!/bin/bash
>
> echo "Content-type: text/plain"
> echo
>
> # If the linking page isn't in the referers file, add it.
> grep --quiet $HTTP_REFERER referers || echo $HTTP_REFERER >> referers
^
> Other than filling up my partition with spurious URLs, is there any
> damage that a malicious outsider could do with this script?
I need to find a way to fill this environment variable with an escape
character to invalidate bash's processing of the line, and then insert
my own code.
If $HTTP_REFERER has been previously sanitized to only contain, say,
[A-Za-z0-9_ ] you're fine.
-dsr-
--
"When in doubt, use brute force."
- Ken Thompson
More information about the Discuss
mailing list