Firewall Wizards mailing list archives
Re: OT, sorta: Breaking pipes?
From: Chris Myers <clmmacunix () charter net>
Date: Sat, 7 Nov 2009 09:34:06 -0600
Do you use Perl at all with CGI scripts? If so, this is just an example of what might be done with anything written with custom scripts. In this case, it is a specific vendor, but it could happen to anyone who does not code diligently.
http://www.kb.cert.org/vuls/id/496064 Thank You, Chris Myers clmmacunix () charter net John 1:17For the Law was given through Moses; grace and truth were realized through Jesus Christ.
Go Vols!!!! On Oct 27, 2009, at 1:48 PM, Kurt Buff wrote:
All, At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm not as fully trained on it as I'd like to be. However, I'm seeing more complaints from end-users who are encountering web sites that issue URLs with the pipe/vertical bar - "|" - character embedded in them. The Sidewinder proxy denies it, as is proper. The latest occurrence is a really stupid State government web site that actually puts the pipe character at the end of the URL! For those sites that we have a business case for end-user access, I make an exception. IT manager now considers this an annoyance, and wants justification for the not allowing URLs with the character through the proxy. I tell him it violates the RFCs that I'm aware of (1738 and 2396 - 3986 doesn't really deal with it, AFAICT) and he wants me to quantify/qualify the risk, and wants me to consider allowing that character universally. I told him (as I believe to be correct) that you can't do that without turning off the proxy entirely, which would be foolish in the extreme. Aside from what we (the manager and I) already know (that the pipe is used in scripting/shells/etc. to redirect output from one program to another) are there any other risks of which I'm not aware, or any specific attacks that I can point to that have or do use this character? I would think that our current understanding on this would be sufficient justification for keeping things the way they are, but apparently not. This is really silly, and frustrating for me, though I suppose many of you have fought the same (kinds of) battle, but any insight would help. Thanks, Kurt _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- OT, sorta: Breaking pipes? Kurt Buff (Nov 05)
- Re: OT, sorta: Breaking pipes? Chris Myers (Nov 10)
- Re: OT, sorta: Breaking pipes? Kurt Buff (Nov 15)
- Re: OT, sorta: Breaking pipes? Chris Myers (Nov 10)