Bugtraq mailing list archives
Re: Time to update those CGIs again
From: lsawyer () GCI COM (Leif Sawyer)
Date: Wed, 6 Oct 1999 14:11:12 -0800
FWIW, Netscape 4.08 for Wintel is immune to this, as is I.E. 5 however Netscape 4.6 for Solaris succombs to it. Lynx is immune as well. Long live lynx!
-----Original Message----- From: Chon-Chon Tang [mailto:ztang () WEBER LCS MIT EDU] Sent: Tuesday, October 05, 1999 12:52 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Time to update those CGIs again I just tested this on Linux 2.0.34, Netscape Communicator 4.61 and the same problem exists. On Tue, 5 Oct 1999, Tymm Twillman wrote:Seems that at least some Unix versions of Netscape treatcharacters 0x8band 0x9b (NOT the strings "0x8b" and "0x9b" but thecharacters with theseascii values) just like < and > respectively... This could be a problem for guestbooks/web email/filteringprograms whichremove tags by filtering based on greater/less than characters. I've tested this on Linux with Netscape versions 4.51 and4.7; others haveconfirmed that Solaris versions behave the same...Apparently Mac/Windowsversions just display the characters instead of using them as tag delimiters. Here's a glob of code to show the problem: --- cut --- #!/usr/bin/perl $opentag = chr(0x8b).'a href="http://www.netscape.com"'.chr(0x9b); $closetag = chr(0x8b).'/a'.chr(0x9b); open OUT, '>uhoh.html' || die ("Couldn't open"); print OUT "If this $opentag link $closetag works, it could be bad."; close OUT; --- cut -- run this and point Netscape at the resulting uhoh.html file... It looks like this may be the result of some alternate character set compatability feature, but it's rather hard to tell... Ihave not seenthis documented anywhere however. -Tymm
Current thread:
- Time to update those CGIs again Tymm Twillman (Oct 05)
- Re: Time to update those CGIs again Chon-Chon Tang (Oct 05)
- Re: Time to update those CGIs again 3APA3A (Oct 06)
- Re: Time to update those CGIs again Sam Carter (Oct 08)
- Microsoft Security Bulletin (MS99-030) Aleph One (Oct 08)
- <Possible follow-ups>
- Re: Time to update those CGIs again Robert G. Ferrell (Oct 05)
- Re: Time to update those CGIs again Warren R. Carithers (Oct 06)
- Re: Time to update those CGIs again Leif Sawyer (Oct 06)
- Re: Time to update those CGIs again Wise Cat (Oct 08)