Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: new advisory

From: Andrew Simmons <andrew () zpok demon co uk>
Date: Tue, 05 Feb 2002 01:49:48 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



sj () datanet hu wrote:
> I think some filtering after the line '$q = new CGI;' would help a little
>
> Eg.
>
> my $SECMSG = 'Pliz dont hekk us\n";
>
> if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
> my $xx = $q->param('cfg');
>
> if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }


Eek! leaning toothpick syndrome!

    if ($xx =~ m"\.\. |        # if match '..' anywhere, or
                 //   |        #    match '//' anywhere, or
                 \./  "x) {    #    match './' anywhere:
       die $SECMSG;
    }

Of course, as a general rule, it's better to take a leaf out of the
firewall admin's book: deny everything by default, then allow only
specific, known good patterns. For example, isn't this code prone to
fragility in the presence of hex-encoded characters?

\a


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (CYGWIN_NT-4.0)
Comment: For info see http://www.gnupg.org

iD8DBQE8XzoKkZawWPzItK8RAiPEAJ9ZoMw1HyHT9IQ3dHHGTPjDiZ2WawCfUop/
Wg3BBi5iR0iP81E9RPqCbdk=
=IaK8
-----END PGP SIGNATURE-----

--
=( Andrew Simmons                                      PGP public key:
=( http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xFCC8B4AF
=( Perl, security, net- and sys- admin, Linux, NT
=(   http://www.zpok.demon.co.uk/cv.(doc|txt)
Previous By Date Next
Previous By Thread Next

Current thread: