Security bug in CGI::Lite::escape_dangerous

this item just showed up on bugtraq. the jist is that CGI::Lite's escape_dangerous_chars() misses a few dangerous characters. i haven't confirmed the vulnerability myself, but if you're using CGI::Lite, you may want to take a closer look.

hasn't every perl programmer read phrack?

anders pearson

Comment on Security bug in CGI::Lite::escape_dangerous_chars()

Replies are listed 'Best First'.
Re: Security bug in CGI::Lite::escape_dangerous_chars() by Ovid (Cardinal) on Feb 11, 2003 at 22:26 UTC
Not having used CGI::Lite before, I never noticed that function, but I have to admit that I'm a bit puzzled. It seems to me that an experienced programmer should have noticed something named `escape_dangerous_characters()` before this. Trying to eliminate the dangerous is far more difficult than simply allowing the safe. Allow for too few "safe" characters, you restrict your functionality; allow for too few "dangerous" characters and you restrict your paychecks. Cheers, Ovid New address of my CGI Course. Silence is Evil (feel free to copy and distribute widely - note copyright text)	[reply]

Replies are listed 'Best First'.

Re: Security bug in CGI::Lite::escape_dangerous_chars()
by Ovid (Cardinal) on Feb 11, 2003 at 22:26 UTC

Not having used CGI::Lite before, I never noticed that function, but I have to admit that I'm a bit puzzled. It seems to me that an experienced programmer should have noticed something named escape_dangerous_characters() before this. Trying to eliminate the dangerous is far more difficult than simply allowing the safe.

Allow for too few "safe" characters, you restrict your functionality; allow for too few "dangerous" characters and you restrict your paychecks.

Cheers,
Ovid

New address of my CGI Course.
Silence is Evil (feel free to copy and distribute widely - note copyright text)

[reply]