Nmap Announce mailing list archives
Re: nmap..... via web
From: "David G. Andersen" <danderse () cs utah edu>
Date: Fri, 19 Feb 1999 14:51:51 -0700 (MST)
Lo and Behold, ajax said:
This doesn't look very sufficent to me. For example, the banned chars don't include space or '-'. So what is to stop someone from giving an IPi added the '-' check... its hard to embed a %0D%0A because '%' is already checked. also added checking for '/'. i'll make the script have clickable
[...] You're taking the wrong approach here. Fyodor alluded to the right way to go about this in his message. Repeat the first mantra of security after me: "Deny everything which is not explicitly allowed." Then, apply it to your CGI script: if ($ip_addr =~ /[^a-zA-Z0-9\.\-]/) { die "Invalid IP address. Go away, don't try to hack me.\n"; } (A valid hostname or IP address may only contain alphanumerics and the dash character. So why even bother checking for badness, when there's such a simple test for goodness?) -Dave, "two scoops of goodness in every package" -- work: danderse () cs utah edu me: angio () pobox com University of Utah http://www.angio.net/ Computer Science - Flux Research Group
Current thread:
- install fails. Jeffrey Roberson (Volt Computer) (Feb 18)
- nmap..... via web Erik Parker (Feb 18)
- Re: nmap..... via web MadHat (Feb 18)
- Re: nmap..... via web Andrew Brown (Feb 18)
- Re: nmap..... via web ajax (Feb 18)
- Re: nmap..... via web Fyodor (Feb 19)
- Re: nmap..... via web ajax (Feb 19)
- Re: nmap..... via web David G. Andersen (Feb 19)
- Re: nmap..... via web Lamont Granquist (Feb 19)
- Re: nmap..... via web Fyodor (Feb 19)
- Re: nmap..... via web Lars Marowsky-Bree (Feb 19)
- Re: nmap..... via web ajax (Feb 19)
- Re: nmap..... via web MadHat (Feb 18)
- Re: nmap..... via web Simple Nomad (Feb 19)
- nmap..... via web Erik Parker (Feb 18)
- Re: nmap..... via web HD Moore (Feb 19)
- Re: nmap..... via web ajax (Feb 18)