Re: SSI & CSS execution in MakeBook 2.2From: Kristina Pfaff-Harris (email@example.com)
- Previous message: Mark Litchfield: "Microsoft RASAPI32.DLL"
- Maybe in reply to: DownBload: "SSI & CSS execution in MakeBook 2.2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 13 Jun 2002 15:13:02 -0000 From: Kristina Pfaff-Harris <firstname.lastname@example.org> To: email@example.com('binary' encoding is not supported, stored as-is) In-Reply-To: <firstname.lastname@example.org>
>Advisory name: SSI & CSS execution in MakeBook 2.2
>Advisory number: 5
>Application: MakeBook 2.2 (CGI script)
>Application author: Kristina Pfaff-Harris
Gah. This is embarassing, especially since the original advisory about
Matt's guestbook came out frigging years ago.
Name, email, and text entered are now checked more rigorously, which
should fix this bug. I've notified all registered users of the script to
The fix is a quick and ugly one, and does not allow for international
characters in either the name or the email, and thus does not allow for
several perfectly valid email addresses, but also should eliminate the
vulnerability. Names now are stripped of everything but A-Za-z0-9-_.'
and emails of everything but A-Za-z0-9-_.@ .
Btw, and just as a side note, does anyone actually notify the writer of
the script/software/whatever that has an exploit anymore? (I mean besides
just posting to BugTraq?) It would have been nice to see a note about this
before seeing it here. :-)