[Gllug] unicode and cross site scripting vulnerabilities
tet at accucard.com
tet at accucard.com
Tue Feb 26 13:21:24 UTC 2002
>one way I sometimes make data safe is to replace or delete all chars
>except say a-zA-Z0-9
>
>this means that I can be really sure that no awkward chars like
>quotes or <> will hang around to break things.
You're using a workaround, rather than fixing the root cause of
the problem. Make sure you use the input in a safe manner, instead
of trying to restrict the range of valid inputs. For example,
fork()/exec() on user provided commands, rather than system()
immediately removes a bunch of shell related vulnerabilities,
because the shell is never called in the first place.
If you're using a scripting language, make sure you suitable quotes
for when dereferencing supplied input. If the language can't deal
with metacharacters in user supplied data at all, then switch to
another language. Otherwise, just code carefully, and use the features
provided by the language for dealing with these things (such as PHP's
addslasshes/addcslashes), and you should be fine.
Tet
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list