Re: CGI.pm vulnerable to Cross-site Scripting

From: Erwann CORVELLEC (Erwann.Corvellecat_private)
Date: Wed Jul 23 2003 - 01:20:12 PDT

Next message: David F.Madrid: "Denial of service in 3COM 812 DSL routers"

Previous message: Uffe Nielsen: "[VulnWatch] Buffer Overflow in Netware Web Server PERL Handler"
In reply to: Lincoln Stein: "Re: CGI.pm vulnerable to Cross-site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le 22/07/2003 18:57, Lincoln Stein a écrit :
> But this was fixed long ago in version 2.94.  We're at version 2.98 now.  The 
> most up-to-date copy is always in CPAN.

  Please find attached the patch against CGI.pm version 2.98.

--
Erwann Corvellec


--- CGI.pm.ori	2003-06-18 21:57:21.000000000 +0200
+++ CGI.pm	2003-07-23 09:53:18.000000000 +0200
@@ -1641,7 +1641,7 @@
     unless (defined $action) {
        $action = $self->url(-absolute=>1,-path=>1);
        if (length($ENV{QUERY_STRING})>0) {
-           $action .= "?$ENV{QUERY_STRING}";
+           $action .= '?' . $self->escapeHTML($ENV{QUERY_STRING},1);
        }
     }
     $action =~ s/\"/%22/g;  # fix cross-site scripting bug reported by obscure

Next message: David F.Madrid: "Denial of service in 3COM 812 DSL routers"
Previous message: Uffe Nielsen: "[VulnWatch] Buffer Overflow in Netware Web Server PERL Handler"
In reply to: Lincoln Stein: "Re: CGI.pm vulnerable to Cross-site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 23 2003 - 09:16:26 PDT