[28493] in bugtraq
Re: A security vulnerability in S8Forum
daemon@ATHENA.MIT.EDU (Steve Watt)
Mon Jan 20 22:49:23 2003
Message-Id: <200301070320.h073K1b4014387@wattres.Watt.COM>
In-Reply-To: <20030105032650.16087.h011.c009.wm@mail.canada.com.criticalpath.net>
From: steve@Watt.COM (Steve Watt)
Date: Mon, 6 Jan 2003 19:20:01 -0800
To: nmsh_sa@canada.com, bugtraq@securityfocus.com
In article <20030105032650.16087.h011.c009.wm@mail.canada.com.criticalpath.net> you write:
[ snip ]
>SOLUTION :
>==========
[ snip ]
> if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$",
>$email) && $email !=
>"") {
Please note that there are many more characters valid in the LHS of an
email address, for example +, that are often desirable. Disallowing
such addresses is a major nuisance. A beautiful example is the useful
feature in sendmail that allows user+whatever@dom.ain, which allows
users to invent infinite variations on their email address for tracking
spam database propagation.
In this particular application, the error is more widespread than the
fix you cite -- if you're going to allow random users to control file
names on your system, you certainly shouldn't put the contents somewhere
that a web server can directly find it.
That bit of software seems to need a major review.
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9"
Internet: steve @ Watt.COM Whois: SW32
Free time? There's no such thing. It just comes in varying prices...
