Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: new advisory - (filtering problems)
From: "b0iler _" <b0iler () hotmail com>
Date: Wed, 06 Feb 2002 19:36:47 -0700

sj () datanet hu wrote:
I think some filtering after the line '$q = new CGI;' would help a little

Eg.

my $SECMSG = 'Pliz dont hekk us\n";

if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
my $xx = $q->param('cfg');

if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }


Eek! leaning toothpick syndrome!

   if ($xx =~ m"\.\. |        # if match '..' anywhere, or
                //   |        #    match '//' anywhere, or
                \./  "x) {    #    match './' anywhere:
      die $SECMSG;
   }

Of course, as a general rule, it's better to take a leaf out of the
firewall admin's book: deny everything by default, then allow only
specific, known good patterns. For example, isn't this code prone to
fragility in the presence of hex-encoded characters?

Yes, great advice. also watch out for flying \'s. Even though you are filtering which is good, one mistake can make your perl dirty and of little worth. Setting $q->param('cfg') to .\.\/ will make it past these filters and hekk you. A nice way of filtering is to filter out meta characters first, then the double dot, or the best method - "deny everything by default".



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


  By Date           By Thread  

Current thread:
  • Re: new advisory - (filtering problems) b0iler _ (Feb 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]