Bugtraq mailing list archives

Re: CGI security

From: buanzox () USA NET (Arturo Busleiman)
Date: Wed, 15 Sep 1999 00:13:11 -0300

But  there  is  EOL  character ('\0'.). If you will use something like
"/index.html?%00xxxxxxxxxxxxxxxxx" xxxxxxxxxxxxxxxxx propably will not
appear in any logs at all.

so, if I telnet localhost 80:
Trying 127.0.0.1
Connected to localhost
Escape character is '^]'.
GET /index.html?%00blabla

OK, I get index.html..... but....

# tail /var/log/messages/httpd.access_log
localhost - - [15/Sep/1999:00:09:30 -0300] "GET /usa.html?%00blabla" 200 8944

it does appear. did I missed something, or our assumptions were erroneous?

Current thread:

Redhat 6.0 Password Issues root3d (Sep 08)
- <Possible follow-ups>
- Re: Redhat 6.0 Password Issues Josh Higham (Sep 10)
  - Re: Redhat 6.0 Password Issues Erik Parker (Sep 11)
  - Re: Redhat 6.0 Password Issues Alan Brown (Sep 11)
    - CGI security Kerb (Sep 12)
    - Re: CGI security Ivo van der Wijk (Sep 13)
    - Re: CGI security Vladimir Dubrovin (Sep 14)
    - Re: CGI security Arturo Busleiman (Sep 14)
    - Multiple vulnerabilities in CDE Job de Haas (Sep 13)
    - Re: Multiple vulnerabilities in CDE Troy A. Bollinger (Sep 13)
    - Re: Multiple vulnerabilities in CDE Dan Astoorian (Sep 14)
    - Vulnerability in dtspcd Job de Haas (Sep 13)
    - Solaris 2.7 /usr/bin/mail Brock Tellier (Sep 13)
    - Stack Shield 0.5 beta vendicator () USA NET (Sep 13)
    - Re: Redhat 6.0 Password Issues Scott Manley (Sep 12)
    - Re: Redhat 6.0 Password Issues Roger Espel Llima (Sep 12)
    - Vulnerability in dtsession Job de Haas (Sep 13)
- Re: Redhat 6.0 Password Issues der Mouse (Sep 28)