Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Vulnerability in Glimpse HTTP
From: paulp () go2net com (Paul Phillips)
Date: Tue, 8 Jul 1997 17:00:03 -0700


On Wed, 2 Jul 1997, Brian Gentry wrote:

if($indexdir =~ tr/;<>*|`&$!#()[]{}:'"//) {
        print "<H1>Evil characters found! Exiting.</H1>";
        exit(1);
  }

[snip]
I had seen this tr "test" before and went looking for it.  I found it in
a pretty good tutorial on cgi security.  You can read it at:

http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt

Hi folks.  Author here.  There are at minimum three bad characters
missing from the above test, one of which was pointed out to me recently
and startled me into actually updating the document after its nearly two
years of peace and quiet.

They are...

  ^ (acts as pipe under some shells)
 \n (acts as shell delimeter)
  \ (in the esc_chars version of the function, this allows \; to
     be escaped as \\;, then unescaped by shell into \; again.)

This should be somewhat distrubing as a rather fearful number of
people have read that document and only a very few have actually
noticed these oversights.  I certainly hope the majority of programmers
have been taking the advice therein, which is not to use this sort
of error prone method but to limit input data to a specific set of
known-safe characters.

I knew that old *code* never died, but I wasn't quite aware that the
same applied to documentation, until now...

--
Paul Phillips      | why would you want to own /dev/null?  "ooo!  ooo!  look!
Mordant Surfer     | i stole nothing!  i'm the thief of nihilism!  i'm the new
<paulp () go2net com> | god of zen monks."
+1 206 447 1595    |   -- Kevin Lyda, alt.sysadmin.recovery



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]