[13886] in bugtraq
Re: CGI.pm and the untrusted-URL problem
daemon@ATHENA.MIT.EDU (Olaf Seibert)
Thu Feb 17 06:38:20 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000216142817.B27830@polder.ubc.kun.nl>
Date: Wed, 16 Feb 2000 14:28:17 +0100
Reply-To: Olaf Seibert <rhialto@POLDER.UBC.KUN.NL>
From: Olaf Seibert <rhialto@POLDER.UBC.KUN.NL>
X-To: Kragen Sitaker <kragen@POBOX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.21.0002141129470.18255-100000@kirk.dnaco.net>
On Mon 14 Feb 2000 at 14:01:48 -0500, Kragen Sitaker wrote:
> The successful exploit requires a remarkable chain of extreme forgiveness:
> 1- The web browser must accept an illegal URL from (possibly valid,
> although very unusual) HTML.
> 2- The web browser must send an illegal HTTP request with the illegal
> URL, without %-encoding the URL to make it legal.
> 3- The HTTP server must accept the illegal HTTP request.
Squid, when used as a proxy, does not accept these incorrect URLs. Since
I installed it as a "transparent proxy", I tend to get error messages
from Squid about this from time to time. Usually this is due to sloppy
HREFs, not anything malicious.
-Olaf.
--
___ Olaf 'Rhialto' Seibert - rhialto@polder.ubc. -- If one tells the truth,
\X/ .kun.nl -- one is sure, sooner or later, to be found out. (Oscar Wilde)
