Can you tell the FSF web programmers to do more checking for HTML/SQLRichard Stallman wrote:
http://z505.com/gng/fsf-gnu-site-easy-to-hack.htm
Your programmers should check POST/GET variables and in many cases only
allow alpha numeric characters in by default. Not through javascript but
at the server side during processing. Your search engine allows bad
characters in.. ones that can damage the site or cause malicious theft
of logins or other data through cross site scripting.. by embedding
forms/input boxes into the site that post to another domain.
In the framework I develop, this problem is secured by default...
The functions I use for getting a post/get variables, trim malicious
attempts.. while the programmer can choose to use the insecure non
default raw function if he really needs to:
http://z505.com/cgi-bin/powtils/docs/1.6/idx.cgi?file=getcgivar&unit=pwu...
http://z505.com/cgi-bin/powtils/docs/1.6/idx.cgi?file=getcgivar_s&unit=p...
I suggest your web programmers read up on how to secure web programs by
reading about what my GetCgiVar functions do, or by finding articles on
the net that explain how you have to filter/check each incoming POST/GET
request carefully each time.
I would have sent this privately to you, but many people will find this
security info useful and humorous. It is my duty to teach people about
web security, and only privately mailing you would mean thousands of
people that read this list would miss out on learning about HTML
injection. Plenty of large popular websites I visit are insecure in this
very manner.
Since this vulnerability is unfortunately exposed publicly.. fixing it
before too many people notice it would be good.
Regards,
L505
| Tarkan Erimer | Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3 |
| Greg Kroah-Hartman | [PATCH 002/196] Chinese: rephrase English introduction in HOWTO |
| Christoph Lameter | [00/41] Large Blocksize Support V7 (adds memmap support) |
| Chuck Ebbert | Re: Linux 2.6.21 |
git: | |
| Gerrit Renker | [PATCH 03/37] dccp: List management for new feature negotiation |
| Jarek Poplawski | [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock(). |
| Hugh Dickins | Re: [bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin" |
| David Miller | [GIT]: Networking |
