Vulnerability Development mailing list archives
Re: CGI insecurities
From: admin () SUPERDUPS COM (Bill Gilpatric)
Date: Tue, 25 Jan 2000 12:21:50 -0500
What about the defense side of things. If you were to allow only alphanumberic and selected punctuation characters. i.e. ! . and ? (exclamation, period and question mark) have you removed the possibility of creating commands that could be executed? Mainly I am looking for a rule that would disable any kind of execution by striping any unacceptable characters from strings sent to the cgi prior to passing these values on. Is this feasible? What character set could be considered safe? If this preprocessing step also looked at string length, is there any room left for exploitation? Any binary or platform may be referenced in responses. I'm looking for a generalized rule.
http://www.phrack.com/search.phtml?view&article=p55-7 thats a good article about which characters to strip...it's focus is perl, but it's applicable to any cgi thats going to be calling another program with insecure arguments -Bill
Current thread:
- Re: CGI insecurities Dino Dai Zovi (Jan 23)
- <Possible follow-ups>
- Re: CGI insecurities Brooke, O'Neil (Jan 24)
- Re: CGI insecurities Bill Gilpatric (Jan 25)
- Re: CGI insecurities rain forest puppy (Jan 25)
- Re: CGI insecurities john (Jan 27)
- File Share Vacuum Jonas Denily (Jan 27)
- Re: File Share Vacuum Blue Boar (Jan 27)
- Re: File Share Vacuum Bjør (Jan 28)
- Re: File Share Vacuum Dimitry Andric (Jan 30)