From:	SMTP%"RELAY-INFO-VAX@CRVAX.SRI.COM"  7-FEB-1994 09:26:30.29
To:	EVERHART
CC:	
Subj:	Re: INQUIRE vs. READ

X-Newsgroups: comp.os.vms
Subject: Re: INQUIRE vs. READ
Message-Id: <8370036@zl2tnm.gen.nz>
From: don@zl2tnm.gen.nz (Don Stokes)
Date: 6 Feb 94 13:05:19 GMT
Sender: news@zl2tnm.gen.nz (GNEWS Version 2.0 news poster.)
Distribution: world
Organization: The Wolery
Lines: 44
To: Info-VAX@CRVAX.SRI.COM
X-Gateway-Source-Info: USENET

kieffer@ACS.UCALGARY.CA writes:
> I have been charged with trying this 'feature' out while checking
> security on an important VAX, but so far I have not succeeded. Is
> there anyone in this group who could help?

Well, some of my favourite tricks include turning verify on with:

	'f$verify(0)'

in the INQUIRE input line.  This often gives useful clues as to how to 
break the procedure.  Once you know how the procedure ticks, you can 
do things like:

	'f$pid(if)'

which creates a context symbol called "IF", which in turn, uh, interferes
with the normal operation of the DCL IF statement.

The real gotcha to look out for though is symbol subtitution, eg:

	$ READ SYS$COMMAND filename/PROMPT="File to view: "
	$ TYPE 'filename'

If you feed into this:

	File to view: @TT:
	_$ NL:
	_$ <any DCL command you like>

you have just broken the commmand file -- and the lovely part about this
is that since it's still running a command procedure (it happens to be the
terminal, but it's still a command procedure), the CAPTIVE flag won't help
a bit.

The "correct" thing to do in this case is to either make _absolutely_
_certain_ that you know what's being fed into single quote substitution,
or use the '&' operator, which is parsed after the command is parsed, eg:

	$ READ SYS$COMMAND filename/PROMPT="File to view: "
	$ TYPE &filename

--
Don Stokes, Network Manager, Victoria University of Wellington, New Zealand.
don@zl2tnm.gen.nz(home) don@vuw.ac.nz(work) +64 4 495-5052 Fax+64 4 471-5386