well I doublechecked it .. and while you are right on the checked input, I am
sure that
if [ -z "=" ] ...
shouldn't throw an error .. I also tried simple quotes (')
On the other hand, you are right no security issue. Because the right way to
authenticate of course would be..
if [ ! -z "$do_login" -a "$user" == 'foo' -a "$password" == 'bar' ]; then
echo login success
else
echo login failed
fi
and this wouldn't be flawed by the error. I am still not sure, if this is meant
to be.
@Alina: Do you have reason to believe this isn't bug? If yes, why.
... bud
#
Warren Turkal wrote:
> That example is more of an example of unsanitized input and improper error
> checking. While it is a common broblem with shell, I don't see how it
> relates to the claim made earlier. Is there a better example the doesn't
> rely on the user providing unchecked input? Maybe that example would make it
> clear to me.
>
> Warren Turkal
> Linux Enthusiast and Libre Software Advocate
>
> On Jul 19, 2009 7:09 AM, "Alina Friedrichsen" <x-al...@gmx.net> wrote:
>
> Hi!
>
>> Could you quote an example or deliver an exploit?
> A example for the BASH:
>
> if [ -z "$do_login" -o "$user" != 'foo' -o "$password" != 'bar' ]; then
> echo login faild
> else
> echo login success
> fi
>
> Normal:
> http://[...]/[...]?do_login=1&user=foo&password=unknown
> Output:
> login faild
>
> Exploit:
> http://[...]/[...]?do_login==&user=foo&password=unknown
> Output:
> bash: [: too many arguments
> login success
>
> Regards Alina _______________________________________________ openwrt-devel
> mailing list openwrt-de...
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
