Bugtraq mailing list archives

Re: SSI & CSS execution in MakeBook 2.2

From: Kristina Pfaff-Harris <kristina () tesol net>
Date: 13 Jun 2002 15:13:02 -0000

In-Reply-To: <20020612072206.29312.qmail () mail securityfocus com>

Advisory name: SSI & CSS execution in MakeBook 2.2
Advisory number: 5                                                     
Application: MakeBook 2.2 (CGI script)
Application author: Kristina Pfaff-Harris


Gah. This is embarassing, especially since the original advisory about 
Matt's guestbook came out frigging years ago.

~sigh~

Name, email, and text entered are now checked more rigorously, which 
should fix this bug.  I've notified all registered users of the script to 
upgrade immediately.

The fix is a quick and ugly one, and does not allow for international 
characters in either the name or the email, and thus does not allow for 
several perfectly valid email addresses, but also should eliminate the 
vulnerability. Names now are stripped of everything but A-Za-z0-9-_.'
and emails of everything but A-Za-z0-9-_.@ .

Btw, and just as a side note, does anyone actually notify the writer of 
the script/software/whatever that has an exploit anymore? (I mean besides 
just posting to BugTraq?) It would have been nice to see a note about this 
before seeing it here. :-)

Kristina

Current thread:

SSI & CSS execution in MakeBook 2.2 DownBload (Jun 12)
- <Possible follow-ups>
- Re: SSI & CSS execution in MakeBook 2.2 DownBload (Jun 13)
- Re: SSI & CSS execution in MakeBook 2.2 Kristina Pfaff-Harris (Jun 13)