Home page logo

bugtraq logo Bugtraq mailing list archives

Re: CGI.pm and the untrusted-URL problem
From: rhialto () POLDER UBC KUN NL (Olaf Seibert)
Date: Wed, 16 Feb 2000 14:28:17 +0100

On Mon 14 Feb 2000 at 14:01:48 -0500, Kragen Sitaker wrote:
The successful exploit requires a remarkable chain of extreme forgiveness:
1- The web browser must accept an illegal URL from (possibly valid,
   although very unusual) HTML.
2- The web browser must send an illegal HTTP request with the illegal
   URL, without %-encoding the URL to make it legal.
3- The HTTP server must accept the illegal HTTP request.

Squid, when used as a proxy, does not accept these incorrect URLs. Since
I installed it as a "transparent proxy", I tend to get error messages
from Squid about this from time to time. Usually this is due to sloppy
HREFs, not anything malicious.


___ Olaf 'Rhialto' Seibert - rhialto () polder ubc      -- If one tells the truth,
\X/ .kun.nl     -- one is sure, sooner or later, to be found out. (Oscar Wilde)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]