Bugtraq mailing list archives
Re: Vulnerability in Glimpse HTTP
From: paulp () go2net com (Paul Phillips)
Date: Tue, 8 Jul 1997 17:00:03 -0700
On Wed, 2 Jul 1997, Brian Gentry wrote:
if($indexdir =~ tr/;<>*|`&$!#()[]{}:'"//) { print "<H1>Evil characters found! Exiting.</H1>"; exit(1); } [snip] I had seen this tr "test" before and went looking for it. I found it in a pretty good tutorial on cgi security. You can read it at: http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt
Hi folks. Author here. There are at minimum three bad characters missing from the above test, one of which was pointed out to me recently and startled me into actually updating the document after its nearly two years of peace and quiet. They are... ^ (acts as pipe under some shells) \n (acts as shell delimeter) \ (in the esc_chars version of the function, this allows \; to be escaped as \\;, then unescaped by shell into \; again.) This should be somewhat distrubing as a rather fearful number of people have read that document and only a very few have actually noticed these oversights. I certainly hope the majority of programmers have been taking the advice therein, which is not to use this sort of error prone method but to limit input data to a specific set of known-safe characters. I knew that old *code* never died, but I wasn't quite aware that the same applied to documentation, until now... -- Paul Phillips | why would you want to own /dev/null? "ooo! ooo! look! Mordant Surfer | i stole nothing! i'm the thief of nihilism! i'm the new <paulp () go2net com> | god of zen monks." +1 206 447 1595 | -- Kevin Lyda, alt.sysadmin.recovery
Current thread:
- Vulnerability in Glimpse HTTP Razvan Dragomirescu (Jul 02)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)
- Re: Vulnerability in Glimpse HTTP Jean-Christophe Touvet (Jul 03)
- Re: Vulnerability in Glimpse HTTP Paul Phillips (Jul 08)
- Re: Vulnerability in Glimpse HTTP Oliver Friedrichs (Jul 09)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Nicolas Dubee (Jan 01)
- Re: Vulnerability in Glimpse HTTP Martin Pool (Jul 10)
- It's not over yet. Aleph One (Jul 11)
- It's not over yet. Manley, Jim W (Jul 11)
- More information about JavaScript bug Dominick Matthias PN OIL 6 (Jul 11)
- new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
- Minor PGP vulnerability Harald Weidner (Jul 15)
- GetAdmin - Hotfix silent release ? Olivier Gerschel (Jul 16)
- Re: Minor PGP vulnerability Lucky Green (Jul 16)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)