Bugtraq mailing list archives
Time to update those CGIs again
From: tymm () COE MISSOURI EDU (Tymm Twillman)
Date: Tue, 5 Oct 1999 10:50:45 -0500
Seems that at least some Unix versions of Netscape treat characters 0x8b and 0x9b (NOT the strings "0x8b" and "0x9b" but the characters with these ascii values) just like < and > respectively... This could be a problem for guestbooks/web email/filtering programs which remove tags by filtering based on greater/less than characters. I've tested this on Linux with Netscape versions 4.51 and 4.7; others have confirmed that Solaris versions behave the same... Apparently Mac/Windows versions just display the characters instead of using them as tag delimiters. Here's a glob of code to show the problem: --- cut --- #!/usr/bin/perl $opentag = chr(0x8b).'a href="http://www.netscape.com"'.chr(0x9b); $closetag = chr(0x8b).'/a'.chr(0x9b); open OUT, '>uhoh.html' || die ("Couldn't open"); print OUT "If this $opentag link $closetag works, it could be bad."; close OUT; --- cut -- run this and point Netscape at the resulting uhoh.html file... It looks like this may be the result of some alternate character set compatability feature, but it's rather hard to tell... I have not seen this documented anywhere however. -Tymm
Current thread:
- Time to update those CGIs again Tymm Twillman (Oct 05)
- Re: Time to update those CGIs again Chon-Chon Tang (Oct 05)
- Re: Time to update those CGIs again 3APA3A (Oct 06)
- Re: Time to update those CGIs again Sam Carter (Oct 08)
- Microsoft Security Bulletin (MS99-030) Aleph One (Oct 08)
- <Possible follow-ups>
- Re: Time to update those CGIs again Robert G. Ferrell (Oct 05)
- Re: Time to update those CGIs again Warren R. Carithers (Oct 06)
- Re: Time to update those CGIs again Leif Sawyer (Oct 06)
- Re: Time to update those CGIs again Wise Cat (Oct 08)