BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Famous last words: "surely this CGI script is safe"

Subject: Famous last words: "surely this CGI script is safe"
From: dsr at tao.merseine.nu (dsr at tao.merseine.nu)
Date: Mon, 31 Mar 2003 17:42:11 -0500
In-reply-to: <1049147119.602.11.camel@belladonna>
References: <1049147119.602.11.camel@belladonna>

On Mon, Mar 31, 2003 at 04:45:18PM -0500, Seth Gordon wrote:
> I've composed this CGI shell script as an example of backlink-tracing:
> 
> [begin]
> #!/bin/bash
> 
> echo "Content-type: text/plain"
> echo
> 
> # If the linking page isn't in the referers file, add it.
> grep --quiet $HTTP_REFERER referers || echo $HTTP_REFERER >> referers
                   ^

> Other than filling up my partition with spurious URLs, is there any
> damage that a malicious outsider could do with this script?

I need to find a way to fill this environment variable with an escape
character to invalidate bash's processing of the line, and then insert
my own code.

If $HTTP_REFERER has been previously sanitized to only contain, say,
[A-Za-z0-9_ ] you're fine.

-dsr-

-- 
"When in doubt, use brute force."
                   - Ken Thompson

References:
- Famous last words: "surely this CGI script is safe"
  - From: sethg at ropine.com (Seth Gordon)

Prev by Date: Famous last words: "surely this CGI script is safe"
Next by Date: Famous last words: "surely this CGI script is safe"
Previous by thread: Famous last words: "surely this CGI script is safe"
Next by thread: Famous last words: "surely this CGI script is safe"
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org