Bugtraq mailing list archives
Re: CGI.pm and the untrusted-URL problem
From: rhialto () POLDER UBC KUN NL (Olaf Seibert)
Date: Wed, 16 Feb 2000 14:28:17 +0100
On Mon 14 Feb 2000 at 14:01:48 -0500, Kragen Sitaker wrote:
The successful exploit requires a remarkable chain of extreme forgiveness: 1- The web browser must accept an illegal URL from (possibly valid, although very unusual) HTML. 2- The web browser must send an illegal HTTP request with the illegal URL, without %-encoding the URL to make it legal. 3- The HTTP server must accept the illegal HTTP request.
Squid, when used as a proxy, does not accept these incorrect URLs. Since I installed it as a "transparent proxy", I tend to get error messages from Squid about this from time to time. Usually this is due to sloppy HREFs, not anything malicious. -Olaf. -- ___ Olaf 'Rhialto' Seibert - rhialto () polder ubc. -- If one tells the truth, \X/ .kun.nl -- one is sure, sooner or later, to be found out. (Oscar Wilde)
Current thread:
- CGI.pm and the untrusted-URL problem Kragen Sitaker (Feb 14)
- Re: CGI.pm and the untrusted-URL problem Marc Slemko (Feb 14)
- Re: CGI.pm and the untrusted-URL problem Olaf Seibert (Feb 16)
- Microsoft Security Bulletin (MS00-009) Microsoft Product Security (Feb 16)
- <Possible follow-ups>
- Re: CGI.pm and the untrusted-URL problem Kragen Sitaker (Feb 14)
- Windows 2000 installation process weakness Stephane Aubert (Feb 15)
- Sambar Server alert! Georgi Chorbadzhiyski (Feb 23)
- Re: Windows 2000 installation process weakness Stephane Aubert (Feb 23)
- Re: CGI.pm and the untrusted-URL problem Lincoln Stein (Feb 15)
- Windows 2000 installation process weakness Stephane Aubert (Feb 15)
- Re: CGI.pm and the untrusted-URL problem Kragen Sitaker (Feb 15)