[7042] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: guestbook script is still vulnerable under apache

daemon@ATHENA.MIT.EDU (Andrew Clegg)
Fri Jun 26 16:56:11 1998

Date: 	Fri, 26 Jun 1998 09:50:30 +0100
Reply-To: Andrew Clegg <surfboy@DARKWAVE.ORG.UK>
From: Andrew Clegg <surfboy@DARKWAVE.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <XFMail.980626022514.sfx@unix-ag.org>; from Lars Eilebrecht on
              Fri, Jun 26, 1998 at 02:25:14AM +0200

Quoting Lars Eilebrecht (Lars.Eilebrecht@UNIX-AG.ORG):
>
> IMHO the guestbook script should not try to strip out SSIs, but rather
> reject every input which contain the sequence "<!--#".

Personally I favour replacing every < with a &lt; and every > with a &gt;

That way the users get out exactly what they put in...

Andrew.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[7042] in bugtraq

Re: guestbook script is still vulnerable under apache

daemon@ATHENA.MIT.EDU (Andrew Clegg)Fri Jun 26 16:56:11 1998

daemon@ATHENA.MIT.EDU (Andrew Clegg)
Fri Jun 26 16:56:11 1998