Re: IIS - .CMD/.BAT Patch Provides Security Enhancements to II

• To: trei@process.com
• Subject: Re: IIS - .CMD/.BAT Patch Provides Security Enhancements to II
• From: Adam Shostack <adam@bwh.harvard.edu>
• Date: Tue, 5 Mar 1996 12:05:56 -0500 (EST)
• Cc: backoffice-postmaster@canon.bhs.com, webserver-nt@delta.process.com, nt-announce@metric.com, iwntug@iwntug.org, www-security@ns2.rutgers.edu, eastlake@ns2.rutgers.edu, trei@ns2.rutgers.edu
• In-Reply-To: <199603041531.KAA14346@ns2.rutgers.edu> from "Peter Trei" at Mar 4, 96 10:39:10 am

Peter Trei wrote:

| desired CGI script. This is an old hole, one exploited many times in the
| past in other contexts - developers of firewall software have long been
| aware of it. In general, a program should regard any requests it
| receives from untrusted users with extreme paranoia, and check to
| ensure they contain nothing which is unexpected.

	Actually, programs should check that their input only contains
that which is expected and safe.

	The difference is that your list of unsafe characters is
likely to be incomplete, and allow through a character you don't
handle correctly.  If you accept only a-z, A-Z, 0-9, and other
characters as is appropriate for a field, you are much less likely to
run into trouble.  If you don't accept %&;$|<>!/\. then you might
encounter difficulty when someone sends you backtics.



Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Re: IIS - .CMD/.BAT Patch Provides Security Enhancements to II
• From: "Peter Trei" <trei@process.com>

• Previous: RE: IIS - .CMD/.BAT Patch Provides Security Enhancements to II
• Next: JavaScript bugs *exposed* http://www.sjmercury.com/business/netsc304.htm
• Index(es):
  • Index
  • Thread