Re: CGI.pm and the untrusted-URL problem

From: Olaf Seibert (rhialtoat_private)
Date: Wed Feb 16 2000 - 05:28:17 PST

Next message: David LeBlanc: "Re: 'cross site scripting' CERT advisory and MS"

Previous message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-009)"
Maybe in reply to: Kragen Sitaker: "CGI.pm and the untrusted-URL problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon 14 Feb 2000 at 14:01:48 -0500, Kragen Sitaker wrote:
> The successful exploit requires a remarkable chain of extreme forgiveness:
> 1- The web browser must accept an illegal URL from (possibly valid,
>    although very unusual) HTML.
> 2- The web browser must send an illegal HTTP request with the illegal
>    URL, without %-encoding the URL to make it legal.
> 3- The HTTP server must accept the illegal HTTP request.

Squid, when used as a proxy, does not accept these incorrect URLs. Since
I installed it as a "transparent proxy", I tend to get error messages
from Squid about this from time to time. Usually this is due to sloppy
HREFs, not anything malicious.

-Olaf.
--
___ Olaf 'Rhialto' Seibert - rhialtoat_private     -- If one tells the truth,
\X/ .kun.nl     -- one is sure, sooner or later, to be found out. (Oscar Wilde)

Next message: David LeBlanc: "Re: 'cross site scripting' CERT advisory and MS"
Previous message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-009)"
Maybe in reply to: Kragen Sitaker: "CGI.pm and the untrusted-URL problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:06 PDT