Bugtraq mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: bet () RAHUL NET (Bennett Todd)
Date: Fri, 18 Feb 2000 17:27:45 -0500
2000-02-18-10:45:48 Brock Sides:
Perl's tainting mechanism will also come into play when opening a filehandle for writing:
What's more, it's available to user code. perlsec(1) gives an example routine that can check the taintedness of a variable, and the Taint module makes it really painless. DBI.pm offers a Taint option to taint-check data passed to it; this offers some hope of addressing the rash of bugs in weirdo data with SQL embedded in it being passed through CGIs and into a relational database (ref RFP2K01, recently posted to this list). I'm hoping it's possible that the new (development track perl) feature for I/O disciplines may allow you to bolt a routine over the front of an I/O handle that taint checks everything written to it; that'd make a nice clean way of dealing with the whole cross-site-scripting problem. -Bennett <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: perl-cgi hole in UltimateBB by Infopop Corp., (continued)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill McKinnon (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 17)
- AUTORUN.INF Vulnerability Eric Stevens (Feb 17)
- Re: AUTORUN.INF Vulnerability Jesper M. Johansson (Feb 18)
- UPDATED: NetBSD Security Advisory 2000-001 Daniel Carosone (Feb 18)
- Re: AUTORUN.INF Vulnerability Nick FitzGerald (Feb 19)
- Re: AUTORUN.INF Vulnerability Valentin Pletzer (Feb 20)
- MMDF Ran Atkinson (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bennett Todd (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Dennis Taylor (Feb 18)
- AIX SNMP Defaults harikiri (Feb 15)
- Re: AIX SNMP Defaults Michal Zalewski (Feb 17)
- Re: AIX SNMP Defaults Troy Bollinger (Feb 21)
- riched32.dll buffer overflow Pauli Ojanpera (Feb 21)
- Re: AIX SNMP Defaults Troy Bollinger (Feb 17)
- Security Bulletins Digest Aleph One (Feb 17)