[4876] in bugtraq
Re: Vulnerability in Glimpse HTTP
daemon@ATHENA.MIT.EDU (Paul Phillips)
Wed Jul 9 04:57:03 1997
Date: Tue, 8 Jul 1997 17:00:03 -0700
Reply-To: Paul Phillips <paulp@go2net.com>
From: Paul Phillips <paulp@GO2NET.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19970702135252.37541@usaccess-inc.com>
On Wed, 2 Jul 1997, Brian Gentry wrote:
> if($indexdir =~ tr/;<>*|`&$!#()[]{}:'"//) {
> print "<H1>Evil characters found! Exiting.</H1>";
> exit(1);
> }
>
> [snip]
> I had seen this tr "test" before and went looking for it. I found it in
> a pretty good tutorial on cgi security. You can read it at:
>
> http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt
Hi folks. Author here. There are at minimum three bad characters
missing from the above test, one of which was pointed out to me recently
and startled me into actually updating the document after its nearly two
years of peace and quiet.
They are...
^ (acts as pipe under some shells)
\n (acts as shell delimeter)
\ (in the esc_chars version of the function, this allows \; to
be escaped as \\;, then unescaped by shell into \; again.)
This should be somewhat distrubing as a rather fearful number of
people have read that document and only a very few have actually
noticed these oversights. I certainly hope the majority of programmers
have been taking the advice therein, which is not to use this sort
of error prone method but to limit input data to a specific set of
known-safe characters.
I knew that old *code* never died, but I wasn't quite aware that the
same applied to documentation, until now...
--
Paul Phillips | why would you want to own /dev/null? "ooo! ooo! look!
Mordant Surfer | i stole nothing! i'm the thief of nihilism! i'm the new
<paulp@go2net.com> | god of zen monks."
+1 206 447 1595 | -- Kevin Lyda, alt.sysadmin.recovery
