Re: Sendpage (Perl CGI) Remote Execution Vulnerability

From: John Imrie (john.imrieat_private)
Date: Wed Nov 28 2001 - 01:24:30 PST

Next message: Netcraft Security: "JRun SSI Request Body Parsing"

Previous message: Support Info: "Security Update [CSSA-2001-040.0] Linux - Format String Problem in Cyrus-SASL"
In reply to: Pedram Amini: "Sendpage (Perl CGI) Remote Execution Vulnerability"
Next in thread: Seth Arnold: "Re: Sendpage (Perl CGI) Remote Execution Vulnerability"
Reply: Seth Arnold: "Re: Sendpage (Perl CGI) Remote Execution Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[snip]

> To fix, simply filter out all "dangerous" characters:
> ,';"/`\%$#{}-&<>... I prefer to keep things simple and remove all
> non-alphanumeric characters:
>
> 	$message =~ s/[^\w\s]//g;
>

I find that filtering out dangerous characters can lead to problems, as it is 
allways possible to miss one. A safer version is to only allow 'good' 
characters

$message =~ s/[^A-Za-z0-9]//g;

Next message: Netcraft Security: "JRun SSI Request Body Parsing"
Previous message: Support Info: "Security Update [CSSA-2001-040.0] Linux - Format String Problem in Cyrus-SASL"
In reply to: Pedram Amini: "Sendpage (Perl CGI) Remote Execution Vulnerability"
Next in thread: Seth Arnold: "Re: Sendpage (Perl CGI) Remote Execution Vulnerability"
Reply: Seth Arnold: "Re: Sendpage (Perl CGI) Remote Execution Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 13:36:20 PST