[1586] in WWW Security List Archive
Re: IIS - .CMD/.BAT Patch Provides Security Enhancements to II
daemon@ATHENA.MIT.EDU (Adam Shostack)
Tue Mar 5 15:40:50 1996
From: Adam Shostack <adam@bwh.harvard.edu>
To: trei@process.com
Date: Tue, 5 Mar 1996 12:05:56 -0500 (EST)
Cc: backoffice-postmaster@canon.bhs.com, webserver-nt@delta.process.com,
nt-announce@metric.com, iwntug@iwntug.org,
www-security@ns2.rutgers.edu, eastlake@ns2.rutgers.edu,
trei@ns2.rutgers.edu
In-Reply-To: <199603041531.KAA14346@ns2.rutgers.edu> from "Peter Trei" at Mar 4, 96 10:39:10 am
Errors-To: owner-www-security@ns2.rutgers.edu
Peter Trei wrote:
| desired CGI script. This is an old hole, one exploited many times in the
| past in other contexts - developers of firewall software have long been
| aware of it. In general, a program should regard any requests it
| receives from untrusted users with extreme paranoia, and check to
| ensure they contain nothing which is unexpected.
Actually, programs should check that their input only contains
that which is expected and safe.
The difference is that your list of unsafe characters is
likely to be incomplete, and allow through a character you don't
handle correctly. If you accept only a-z, A-Z, 0-9, and other
characters as is appropriate for a field, you are much less likely to
run into trouble. If you don't accept %&;$|<>!/\. then you might
encounter difficulty when someone sends you backtics.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
