('binary' encoding is not supported, stored as-is) In-Reply-To: <20020612072206.29312.qmailat_private> >Advisory name: SSI & CSS execution in MakeBook 2.2 >Advisory number: 5 >Application: MakeBook 2.2 (CGI script) >Application author: Kristina Pfaff-Harris Gah. This is embarassing, especially since the original advisory about Matt's guestbook came out frigging years ago. ~sigh~ Name, email, and text entered are now checked more rigorously, which should fix this bug. I've notified all registered users of the script to upgrade immediately. The fix is a quick and ugly one, and does not allow for international characters in either the name or the email, and thus does not allow for several perfectly valid email addresses, but also should eliminate the vulnerability. Names now are stripped of everything but A-Za-z0-9-_.' and emails of everything but A-Za-z0-9-_.@ . Btw, and just as a side note, does anyone actually notify the writer of the script/software/whatever that has an exploit anymore? (I mean besides just posting to BugTraq?) It would have been nice to see a note about this before seeing it here. :-) Kristina
This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 12:15:38 PDT