Re: [fw-wiz] OT, sorta: Breaking pipes?



Do you use Perl at all with CGI scripts? If so, this is just an example of what might be done with anything written with custom scripts. In this case, it is a specific vendor, but it could happen to anyone who does not code diligently.

http://www.kb.cert.org/vuls/id/496064

Thank You,

Chris Myers
clmmacunix@xxxxxxxxxxx

John 1:17
For the Law was given through Moses; grace and truth were realized through Jesus Christ.


TIFF image

Go Vols!!!!

On Oct 27, 2009, at 1:48 PM, Kurt Buff wrote:

All,

At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm
not as fully trained on it as I'd like to be.

However, I'm seeing more complaints from end-users who are
encountering web sites that issue URLs with the pipe/vertical bar -
"|" - character embedded in them. The Sidewinder proxy denies it, as
is proper. The latest occurrence is a really stupid State government
web site that actually puts the pipe character at the end of the URL!

For those sites that we have a business case for end-user access, I
make an exception.

IT manager now considers this an annoyance, and wants justification
for the not allowing URLs with the character through the proxy. I tell
him it violates the RFCs that I'm aware of (1738 and 2396 - 3986
doesn't really deal with it, AFAICT) and he wants me to
quantify/qualify the risk, and wants me to consider allowing that
character universally. I told him (as I believe to be correct) that
you can't do that without turning off the proxy entirely, which would
be foolish in the extreme.

Aside from what we (the manager and I) already know (that the pipe is
used in scripting/shells/etc. to redirect output from one program to
another) are there any other risks of which I'm not aware, or any
specific attacks that I can point to that have or do use this
character? I would think that our current understanding on this would
be sufficient justification for keeping things the way they are, but
apparently not.

This is really silly, and frustrating for me, though I suppose many of
you have fought the same (kinds of) battle, but any insight would
help.

Thanks,

Kurt
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards