Nmap Announce mailing list archives
Re: nmap..... via web
From: "David G. Andersen" <danderse () cs utah edu>
Date: Fri, 19 Feb 1999 14:51:51 -0700 (MST)
Lo and Behold, ajax said:
This doesn't look very sufficent to me. For example, the banned chars don't include space or '-'. So what is to stop someone from giving an IPi added the '-' check... its hard to embed a %0D%0A because '%' is already checked. also added checking for '/'. i'll make the script have clickable
[...]
You're taking the wrong approach here. Fyodor alluded to the right
way to go about this in his message. Repeat the first mantra of
security after me:
"Deny everything which is not explicitly allowed."
Then, apply it to your CGI script:
if ($ip_addr =~ /[^a-zA-Z0-9\.\-]/) {
die "Invalid IP address. Go away, don't try to hack me.\n";
}
(A valid hostname or IP address may only contain alphanumerics and
the dash character. So why even bother checking for badness, when
there's such a simple test for goodness?)
-Dave, "two scoops of goodness in every package"
--
work: danderse () cs utah edu me: angio () pobox com
University of Utah http://www.angio.net/
Computer Science - Flux Research Group
Current thread:
- install fails. Jeffrey Roberson (Volt Computer) (Feb 18)
- nmap..... via web Erik Parker (Feb 18)
- Re: nmap..... via web MadHat (Feb 18)
- Re: nmap..... via web Andrew Brown (Feb 18)
- Re: nmap..... via web ajax (Feb 18)
- Re: nmap..... via web Fyodor (Feb 19)
- Re: nmap..... via web ajax (Feb 19)
- Re: nmap..... via web David G. Andersen (Feb 19)
- Re: nmap..... via web Lamont Granquist (Feb 19)
- Re: nmap..... via web Fyodor (Feb 19)
- Re: nmap..... via web Lars Marowsky-Bree (Feb 19)
- Re: nmap..... via web ajax (Feb 19)
- Re: nmap..... via web MadHat (Feb 18)
- Re: nmap..... via web Simple Nomad (Feb 19)
- nmap..... via web Erik Parker (Feb 18)
- Re: nmap..... via web HD Moore (Feb 19)
- Re: nmap..... via web ajax (Feb 18)