Bugtraq mailing list archives

Re: BUG in /bin/bash

From: espel () clipper ens fr (Roger Espel Llima)
Date: Fri, 13 Sep 1996 11:24:05 +0200

VULNERABILITY:  A variable declaration error in "bash" allows the character
                with value 255 decimal to be used as a command separator.


  That reminds me of a similar "little-known feature" on SunOS and
Solaris, where /bin/sh interprets '^' as a synonym for '|' :

$ sh -c 'echo blah ^ cat'
blah

  Again this could be exploited to fool CGI scripts (and ircII scripts
too) which execute shell commands with user-supplied data, after
checking for things like ';', '|' and '&'.

        -Roger
--
e-mail: roger.espel.llima () ens fr
WWW & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html

Current thread:

Re: BUG in /bin/bash Roger Espel Llima (Sep 13)
- Re: BUG in /bin/bash Yiorgos Adamopoulos (Sep 13)
  - Re: BUG in /bin/bash Julian Assange (Sep 13)
  - Re: BUG in /bin/bash Alan Cox (Sep 14)
  - Re: BUG in /bin/bash Aggelos P. Varvitsiotis (Sep 16)
- <Possible follow-ups>
- Re: BUG in /bin/bash Eugene Bradley (Sep 13)
- Re: BUG in /bin/bash Dan Stromberg (Sep 14)
  - Re: BUG in /bin/bash Alan Cox (Sep 17)
  - CERT Vendor-Initiated Bulletin VB-96.16 - Transarc Corp. CERT Bulletin (Sep 17)
- Re: BUG in /bin/bash Dan Thorson (Sep 16)
  - Re: sh and ^ bitblt () cybercom net (Sep 17)