Re: guestbook script is still vulnerable under apache

From: Andrew Clegg (surfboyat_private)
Date: Fri Jun 26 1998 - 01:50:30 PDT

Next message: Thomas Troeger: "dip-3.3.7p exploit (stackpatch_"

Previous message: Rhodie: "Bug is sudo?"
Maybe in reply to: Stunt Pope: "guestbook script is still vulnerable under apache"
Next in thread: Lincoln Stein: "Re: guestbook script is still vulnerable under apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Lars Eilebrecht (Lars.Eilebrecht@UNIX-AG.ORG):
>
> IMHO the guestbook script should not try to strip out SSIs, but rather
> reject every input which contain the sequence "<!--#".

Personally I favour replacing every < with a &lt; and every > with a &gt;

That way the users get out exactly what they put in...

Andrew.

Next message: Thomas Troeger: "dip-3.3.7p exploit (stackpatch_"
Previous message: Rhodie: "Bug is sudo?"
Maybe in reply to: Stunt Pope: "guestbook script is still vulnerable under apache"
Next in thread: Lincoln Stein: "Re: guestbook script is still vulnerable under apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:49 PDT