lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 15 Aug 2007 13:34:38 -0400
From: Michael Tharp <gxti@...tiallystapled.com>
To: v9@...ehalo.us
Cc: bugtraq@...urityfocus.com
Subject: Re: Vulnerability in multiple "now playing" scripts for various IRC
 clients

v9@...ehalo.us wrote:
> I may be rusty with knowledge about mirc (say almost 10 years out of date)...but, in what situation would the pipe ('|') ever be processed from a variable, even if it was read from a mp3 ID3?

This is probably a bigger concern for *nix scripts, especially of the
homebrew variety where the owner hacks something out in 20 minutes and
never looks at it again. While the attacker might not have access to the
source code, they shouldn't have any problems defeating simple
substitution onto a command line.

  -- m. tharp

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ