Asp Forum - Re: Substitution within system quoted string

Matthias Wächter

8/27/2007 9:42:00 PM

On 27.08.2007 23:35, Felix Windt wrote:
>> On 27.08.2007 22:34, Felix Windt wrote:
>>> system("start putty.exe -X -ssh -pw #{ARGV[0]} myuserid@myhostname")
>> never trust parameters or their encoding, or you beg for privilege
>> escalation problems. The given command will perform both shell
>> expansion (consider a password like "%PATH%") and parameter
>> separation (consider a password like "pw; rm -rf /*").
>
> It's generally a very bad idea to give a password on the command line. I'm
> not sure if Windows keeps a command line history, but all it would take is
> for the DOS Prompt to still be open, and for someone to arrow up.

Sure, but the problem is not limited to passwords. Any input you
cannot control or carefully check is bad if it is used in shell
expansion like the above. So better not start with it at the first
place, neither for passwords, nor for something like username@host
or other thought-to-be-friendly parameters.

- Matthias

9 Answers

Simon Krahnke

8/28/2007 12:38:00 AM

* Matthias Wächter <matthias@waechter.wiz.at> (23:41) schrieb:

> On 27.08.2007 23:35, Felix Windt wrote:

>> It's generally a very bad idea to give a password on the command line. I'm
>> not sure if Windows keeps a command line history, but all it would take is
>> for the DOS Prompt to still be open, and for someone to arrow up.
>
> Sure, but the problem is not limited to passwords. Any input you
> cannot control or carefully check is bad if it is used in shell
> expansion like the above. So better not start with it at the first
> place, neither for passwords, nor for something like username@host
> or other thought-to-be-friendly parameters.

You are talking about two different things. Felix is about sensitive
data, you seem to be about injection. The latter is only a problem, when
the program is executed with other rights than its user, which is
normally not the case with command line programs.

mfg, simon .... l

Matthias Wächter

8/28/2007 8:30:00 AM

On 28.08.2007 03:05, Simon Krahnke wrote:
> * Matthias WÃ¤chter <matthias@waechter.wiz.at> (23:41) schrieb:
>
>> On 27.08.2007 23:35, Felix Windt wrote:
>
>>> It's generally a very bad idea to give a password on the command line. I'm
>>> not sure if Windows keeps a command line history, but all it would take is
>>> for the DOS Prompt to still be open, and for someone to arrow up.
>> Sure, but the problem is not limited to passwords. Any input you
>> cannot control or carefully check is bad if it is used in shell
>> expansion like the above. So better not start with it at the first
>> place, neither for passwords, nor for something like username@host
>> or other thought-to-be-friendly parameters.
>
> You are talking about two different things. Felix is about sensitive
> data, you seem to be about injection. The latter is only a problem, when
> the program is executed with other rights than its user, which is
> normally not the case with command line programs.

You are right about the two different topics. Sure, it's very,
_very_ bad to write the password into the command line. But on a
single-user computer, this might be OK nevertheless, so this is up
to the user to decide. He can use public key authentication, then
this is no matter anymore (see PuTTY documentation for more details).

Injection is very bad irrespective of the user rights and which
parameter is vulnerable. If it's not the password, he might pass the
username to the executed command, then it's the same. Finally, a
parameter (like the given password) like "%PATH%" will make the
command not work, a password like "; rm -rf /*;" will have other
side effects that are certainly not assumed by the programmer.

String substitution is a good thing if you know _precisely_ what
goes into this string and what is done with the resulting string. If
it is put into Kernel#system() with shell expansion, it's like
Kernel#eval() -- you certainly don't want to put any arbitrary,
_unquoted_ string into that without careful data checking. But
that's happening here.

Very bad, indeed, but common practice and good triggers for long
security-related stories in newspapers.

- Matthias

Simon Krahnke

8/28/2007 9:15:00 AM

* Matthias Wächter <matthias@waechter.wiz.at> (10:30) schrieb:

> Injection is very bad irrespective of the user rights and which
> parameter is vulnerable. If it's not the password, he might pass the
> username to the executed command, then it's the same. Finally, a
> parameter (like the given password) like "%PATH%" will make the
> command not work, a password like "; rm -rf /*;" will have other
> side effects that are certainly not assumed by the programmer.

But it doesn't enable the user to do things he isn't allowed to do, so
it's not a security problem. But It might make it easier to shoot
yourself in the foot.

mfg, simon .... l

pyjamarama

1/27/2011 5:18:00 PM

On Jan 25, 8:14 am, Sheldon Cooper <richarddead...@gmail.com> wrote:
> On Jan 24, 6:58 pm, "5888 Dead, 1031 since 1/20/09" <d...@gone.com>
> wrote:
>
>
>
>
>
> > On Mon, 24 Jan 2011 17:42:28 -0800, Sheldon Cooper wrote:
> > > On Jan 24, 1:43 pm, Dacato <tfitz...@mts.net> wrote:
> > >> On Jan 23, 9:18 pm, Sheldon Cooper <richarddead...@gmail.com> wrote:
>
> > >> > On Jan 23, 7:11 pm, "5897 Dead, 1040 since 1/20/09" <dead@dead>
> > >> > wrote:
>
> > >> > >http://www.freep.com/article/20110123/NEWS05/110123016/...
> > poli...
> > >> > > Four police shot in Detroit precinct, gunman killed
>
> > >> > So Zepp excitedly exploited their deaths to score cheap political
> > >> > points.
>
> > >> How is reporting news exploiting their deaths? Please explain.
>
> > > The shooter is not a "NRA hero". Zepp lied to exploit a tragedy to win
> > > imaginary political points.
>
> > Of course he's a hero to the NRA, Fake Bill.
>
> Really?
>
> Where are the NRA endorsements? The ads congratulating the asshole?
>
> Nowhere - it's all in your vile imagination.- Hide quoted text -
>
> - Show quoted text -

You got that right....

There's all kinds of ugly shit floating around in Gary 'yoorg'
Roselles' 'vile imagination'....

Unfortunately for him, most of it is also 'floating around' the google
archives...

Like his repeated, sociopathic calls for then-FL Sect.of State
Katherine Harris to be shot dead...

And his disturbing death-wish that a "bullet should be put between the
eyes" of the teenage daughter of a poster (Bob Robertson) who made a
monkey out of him (not hard to do)...

Not to mention his threat to blow up Mt. Rushmore and "make it look
like a mining accident" (he's an ex-miner -snicker- and he lives
within 'eyeshot' of the monument)...

He's a walking, talking, posting death-threat, Roselles is...

Always has been.

What's so goddamned funny are the lengths he goes to to pretend
otherwise...

He changes his nym constantly to avoid detection and to slither out of
killfiles...

He opted out of the archives in a failed attempt to out-run his
past...

And he flees like a little pussy bitch whenever he's confronted with
the sickening, threatening, racist shit he's written.

He's a usenet cancer...

Plain and simple.
_____________________________________________________

Like 'left-wing pothead' Jared Loughner, left-wing sociopath Gary
'yoorg' Roselles gleefully put Bob Robertson's then-teenage daughter
in the 'crosshairs' when he wrote:

"May a real American have the honor of putting a bullet between her
eyes" -- Rosell19 on 11/14/2000

And after years of incendiary hate speech and death-threats, left-wing
loon and Zepp comrade Gary 'YOORG' Roselles' dreams of killing
government officials finally come true:

"She should be at least shot" -- Gary Roselles on killing duly elected
female government official, Katherine Harris

"I call Kathering Harris a nazi/fascist right wing ideologue whore.
What did we do to German nazis right wing whores?" -- Gary Roselles
publically displays his hate-filled, murderous motive.

"I was threatened by Harris, nazi slut she is" -- More hate-filled
rhetorical motive on Harris killing from Roselles...

Given all this, should anyone here be surprised that a numb-nutted
moron who reads the 'Communist Manifesto' actually DID shoot a duly
elected, female, government official?

Left-wingers here have spewing hate-speech been promoting shooting
government officials for YEARS:

See ROSIELOON defend his death-threats AND claim that his non-stop,
psychotic hate speech is "GOD INSPIRED"....

>And your call for the shooting of Katherine Harris gives YOU the high
>ground, pussy?

"I call Kathering Harris a nazi/fascist right wing ideologue whore.
What did we do to German nazis right wing whores?"

>You're hate-filled scum and I'm proud to point it out to these
>newsgroups.

"I consider hating RIGHT WING nazi/fascist fucks like you a God
inspired emotion."

>You have no principles except hate for those who don't give you what
>you want.

"Hating RIGHT WINGERS is doing God's work, Dumbapropyl"

See Original Post HERE:

http://groups.google.com/group/alt.politics.clinton/msg/943......

Sheldon Cooper

1/27/2011 5:33:00 PM

Yoorg...@jurgis.net wrote:
> On Wed, 26 Jan 2011 21:36:18 -0800 (PST), Sheldon Cooper
> <richarddeadeye@gmail.com> wrote:
>
> >> Nope, put out ads demonizing legitimate law enforcement doing
> >> legitimate law work.
> >
> >Please produce such ads.
>
> I point you to google and the NRA ads taken out, the famous public
> appearances of Heston, the support of gunloons for Vernon Jordan and
> the racist asshole who got his wife killed in ID or UT.

Of course I did exactly that before asking the question.

The ads simply do not exist.

You're a liar.

Sheldon Cooper

1/27/2011 5:42:00 PM

Yoorg...@jurgis.net wrote:
> On Wed, 26 Jan 2011 21:37:54 -0800 (PST), Sheldon Cooper
> <richarddeadeye@gmail.com> wrote:
>
> >On Jan 25, 4:56?pm, Yoorg...@Jurgis.net wrote:
> >> On Tue, 25 Jan 2011 15:57:49 -0800 (PST), Sheldon Cooper
> >>
> >> <richarddead...@gmail.com> wrote:
> >> >So, let's sum this up, shall we?
> >>
> >> Here it is in your hero's own words, Plankton
> >
> >Hitler is no hero of mine.
>
> For supposedly not liking Hitler---the entire rightwing of your
> ideology uses the propaganda techniques Hitler described in Mein Kamph
> in the 20's.

So you insist... over and over and over and over and over.

"Polly wants a cracker...and everything FOX says is a liar"

Kurt Nicklas

1/27/2011 11:32:00 PM

On Jan 27, 12:18 pm, pyjamarama <pyjamaram...@gmail.com> wrote:
> On Jan 25, 8:14 am, Sheldon Cooper <richarddead...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
> > On Jan 24, 6:58 pm, "5888 Dead, 1031 since 1/20/09" <d...@gone.com>
> > wrote:
>
> > > On Mon, 24 Jan 2011 17:42:28 -0800, Sheldon Cooper wrote:
> > > > On Jan 24, 1:43 pm, Dacato <tfitz...@mts.net> wrote:
> > > >> On Jan 23, 9:18 pm, Sheldon Cooper <richarddead...@gmail.com> wrote:
>
> > > >> > On Jan 23, 7:11 pm, "5897 Dead, 1040 since 1/20/09" <dead@dead>
> > > >> > wrote:
>
> > > >> > >http://www.freep.com/article/20110123/NEWS05/110123016/...
> > > poli...
> > > >> > > Four police shot in Detroit precinct, gunman killed
>
> > > >> > So Zepp excitedly exploited their deaths to score cheap political
> > > >> > points.
>
> > > >> How is reporting news exploiting their deaths? Please explain.
>
> > > > The shooter is not a "NRA hero". Zepp lied to exploit a tragedy to win
> > > > imaginary political points.
>
> > > Of course he's a hero to the NRA, Fake Bill.
>
> > Really?
>
> > Where are the NRA endorsements? The ads congratulating the asshole?
>
> > Nowhere - it's all in your vile imagination.- Hide quoted text -
>
> > - Show quoted text -
>
> You got that right....
>
> There's all kinds of ugly shit floating around in Gary 'yoorg'
> Roselles' 'vile imagination'....
>
> Unfortunately for him, most of it is also 'floating around' the google
> archives...
>
> Like his repeated, sociopathic calls for then-FL Sect.of State
> Katherine Harris to be shot dead...

Ah, but I hear he got censored for that bit of hatespeech
by the Papa Weasel, 'Zepp" Jamieson.

LOL

> And his disturbing death-wish that a "bullet should be put between the
> eyes" of the teenage daughter of a poster (Bob Robertson) who made a
> monkey out of him (not hard to do)...
>
> Not to mention his threat to blow up Mt. Rushmore and "make it look
> like a mining accident" (he's an ex-miner -snicker- and he lives
> within 'eyeshot' of the monument)...
>
> He's a walking, talking, posting death-threat, Roselles is...
>
> Always has been.
>
> What's so goddamned funny are the lengths he goes to to pretend
> otherwise...
>
> He changes his nym constantly to avoid detection and to slither out of
> killfiles...
>
> He opted out of the archives in a failed attempt to out-run his
> past...
>
> And he flees like a little pussy bitch whenever he's confronted with
> the sickening, threatening, racist shit he's written.
>
> He's a usenet cancer...
>
> Plain and simple.
> _____________________________________________________
>
> Like 'left-wing pothead' Jared Loughner, left-wing sociopath Gary
> 'yoorg' Roselles gleefully put Bob Robertson's then-teenage daughter
> in the 'crosshairs' when he wrote:
>
> "May a real American have the honor of putting a bullet between her
> eyes" -- Rosell19 on 11/14/2000
>
> And after years of incendiary hate speech and death-threats, left-wing
> loon and Zepp comrade Gary 'YOORG' Roselles' dreams of killing
> government officials finally come true:
>
> "She should be at least shot" -- Gary Roselles on killing duly elected
> female government official, Katherine Harris
>
> "I call Kathering Harris a nazi/fascist right wing ideologue whore.
> What did we do to German nazis right wing whores?" -- Gary Roselles
> publically displays his hate-filled, murderous motive.
>
> "I was threatened by Harris, nazi slut she is" -- More hate-filled
> rhetorical motive on Harris killing from Roselles...
>
> Given all this, should anyone here be surprised that a numb-nutted
> moron who reads the 'Communist Manifesto' actually DID shoot a duly
> elected, female, government official?
>
> Left-wingers here have spewing hate-speech been promoting shooting
> government officials for YEARS:
>
> See ROSIELOON defend his death-threats AND claim that his non-stop,
> psychotic hate speech is "GOD INSPIRED"....
>
> >And your call for the shooting of Katherine Harris gives YOU the high
> >ground, pussy?
>
> "I call Kathering Harris a nazi/fascist right wing ideologue whore.
> What did we do to German nazis right wing whores?"
>
> >You're hate-filled scum and I'm proud to point it out to these
> >newsgroups.
>
> "I consider hating RIGHT WING nazi/fascist fucks like you a God
> inspired emotion."
>
> >You have no principles except hate for those who don't give you what
> >you want.
>
> "Hating RIGHT WINGERS is doing God's work, Dumbapropyl"
>
> See Original Post HERE:
>
> http://groups.google.com/group/alt.politics.clinton/msg/943......

Yoorghis

1/28/2011 5:19:00 AM

On Thu, 27 Jan 2011 15:32:10 -0800 (PST), Kurt Nicklas
<kurtnicklas@gmail.com> wrote:

>> Like his repeated, sociopathic calls for then-FL Sect.of State
>> Katherine Harris to be shot dead...
>
>Ah, but I hear he got censored for that bit of hatespeech
>by the Papa Weasel, 'Zepp" Jamieson.

How is that relevant to you making drunken late-night crank calls,
Nickkkers?

BTW, hows that moscow "bride" of yours

SNICKER
>=============================================================

On Fri, 18 Sep 2009 16:32:34 -0700 (PDT), Kurtis T. Nicklas of
1293 Westbrook Ave, Elon, NC 27244-9372"

<nickl...@bellsouth.net> wrote in message

>I don't pay much attention to him these days, but I'd wager he's not
>happy.

You sure as shit paid attention when you got caught
making all those late-night hang-up phone calls, didn't
ya, Nickkkkers?

CLICK ! ! !

Slackjaw

1/29/2011 5:43:00 PM

Sheldon Cooper wrote:

>
>
> Yoorg...@jurgis.net wrote:
> > On Wed, 26 Jan 2011 21:36:18 -0800 (PST), Sheldon Cooper
> > <richarddeadeye@gmail.com> wrote:
> >
> > >> Nope, put out ads demonizing legitimate law enforcement doing
> > >> legitimate law work.
> > >
> > > Please produce such ads.
> >
> > I point you to google and the NRA ads taken out, the famous public
> > appearances of Heston, the support of gunloons for Vernon Jordan and
> > the racist asshole who got his wife killed in ID or UT.
>
> Of course I did exactly that before asking the question.
>
> The ads simply do not exist.
>
> You're a liar.

I found that it's best to not respond to Gary. He deparately seek
attention and hates it when he's ignored.

comp.lang.ruby

Re: Substitution within system quoted string

Matthias Wächter

Simon Krahnke

Matthias Wächter

Simon Krahnke

pyjamarama

Sheldon Cooper

Sheldon Cooper

Kurt Nicklas

Yoorghis

Slackjaw

x Login to ForumsZone