Vulnerability Development mailing list archives
Re: Serious Hole in Comment/Discussior CGI srcipt
From: Alex Andrews <alex () binarygod co uk>
Date: Sat, 28 Oct 2000 14:32:00 BST
Hi guys The issue of input to perl programs is covered in great depth by rain forest puppy in his article for phrack magazine (phrack 55, article 7) which i attach. In summary perl has problems with null characters and metacharacters but these may easily removed using s//;. Remember one of cgi programmings most important laws...never trust user input. 1) Remove the null character $input =~ s/\0//g; 2) Remove all the standard metacharacters (which are &;`'\"|*?~<>^()[]{}$\n\r ) $input =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g; It is simple enough for some with even a basic knowledge of perl to add these to the script (coders can patch them quickly also). In the example program you might want to add these two lines There is another point mentioned in the article but it hasnt been mentioned on this list...so ill just leave it for you to discover (its called the pesky pipe problem!). Thanks for listening alex -- Freedom is the freedom to say that two plus two is four. If granted all else follows
Attachment:
P55-07.txt
Description:
Current thread:
- Re: Serious Hole in Comment/Discussior CGI srcipt Alex Andrews (Oct 29)
- Re: Serious Hole in Comment/Discussior CGI srcipt Ekke Vasli (Oct 30)