[23283] in bugtraq
Re: Sendpage (Perl CGI) Remote Execution Vulnerability
daemon@ATHENA.MIT.EDU (John Imrie)
Wed Nov 28 16:37:12 2001
Content-Type: text/plain;
charset="iso-8859-1"
From: John Imrie <john.imrie@pa.press.net>
To: <bugtraq@securityfocus.com>
Date: Wed, 28 Nov 2001 09:24:30 +0000
In-Reply-To: <000001c17780$49ff1e60$6400000a@monkey>
MIME-Version: 1.0
Message-Id: <01112809243004.01160@bilbo>
Content-Transfer-Encoding: 8bit
[snip]
> To fix, simply filter out all "dangerous" characters:
> ,';"/`\%$#{}-&<>... I prefer to keep things simple and remove all
> non-alphanumeric characters:
>
> $message =~ s/[^\w\s]//g;
>
I find that filtering out dangerous characters can lead to problems, as it is
allways possible to miss one. A safer version is to only allow 'good'
characters
$message =~ s/[^A-Za-z0-9]//g;
