mailing list archives
Re: CGI.pm and the untrusted-URL problem
From: rhialto () POLDER UBC KUN NL (Olaf Seibert)
Date: Wed, 16 Feb 2000 14:28:17 +0100
On Mon 14 Feb 2000 at 14:01:48 -0500, Kragen Sitaker wrote:
The successful exploit requires a remarkable chain of extreme forgiveness:
1- The web browser must accept an illegal URL from (possibly valid,
although very unusual) HTML.
2- The web browser must send an illegal HTTP request with the illegal
URL, without %-encoding the URL to make it legal.
3- The HTTP server must accept the illegal HTTP request.
Squid, when used as a proxy, does not accept these incorrect URLs. Since
I installed it as a "transparent proxy", I tend to get error messages
from Squid about this from time to time. Usually this is due to sloppy
HREFs, not anything malicious.
___ Olaf 'Rhialto' Seibert - rhialto () polder ubc -- If one tells the truth,
\X/ .kun.nl -- one is sure, sooner or later, to be found out. (Oscar Wilde)