[24144] in bugtraq
Re: new advisory
daemon@ATHENA.MIT.EDU (Andrew Simmons)
Wed Feb 6 18:27:11 2002
Message-ID: <3C5F3A3C.9000103@zpok.demon.co.uk>
Date: Tue, 05 Feb 2002 01:49:48 +0000
From: Andrew Simmons <andrew@zpok.demon.co.uk>
MIME-Version: 1.0
To: sj@datanet.hu
Cc: bugtraq <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
sj@datanet.hu wrote:
> I think some filtering after the line '$q = new CGI;' would help a little
>
> Eg.
>
> my $SECMSG = 'Pliz dont hekk us\n";
>
> if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
> my $xx = $q->param('cfg');
>
> if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }
Eek! leaning toothpick syndrome!
if ($xx =~ m"\.\. | # if match '..' anywhere, or
// | # match '//' anywhere, or
\./ "x) { # match './' anywhere:
die $SECMSG;
}
Of course, as a general rule, it's better to take a leaf out of the
firewall admin's book: deny everything by default, then allow only
specific, known good patterns. For example, isn't this code prone to
fragility in the presence of hex-encoded characters?
\a
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (CYGWIN_NT-4.0)
Comment: For info see http://www.gnupg.org
iD8DBQE8XzoKkZawWPzItK8RAiPEAJ9ZoMw1HyHT9IQ3dHHGTPjDiZ2WawCfUop/
Wg3BBi5iR0iP81E9RPqCbdk=
=IaK8
-----END PGP SIGNATURE-----
--
=( Andrew Simmons PGP public key:
=( http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xFCC8B4AF
=( Perl, security, net- and sys- admin, Linux, NT
=( http://www.zpok.demon.co.uk/cv.(doc|txt)
