Re: SSI & CSS execution in MakeBook 2.2

From: Kristina Pfaff-Harris (kristina@tesol.net)
Date: 06/13/02


Date: 13 Jun 2002 15:13:02 -0000
From: Kristina Pfaff-Harris <kristina@tesol.net>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is) In-Reply-To: <20020612072206.29312.qmail@mail.securityfocus.com>

>Advisory name: SSI & CSS execution in MakeBook 2.2
>Advisory number: 5
>Application: MakeBook 2.2 (CGI script)
>Application author: Kristina Pfaff-Harris

Gah. This is embarassing, especially since the original advisory about
Matt's guestbook came out frigging years ago.

~sigh~

Name, email, and text entered are now checked more rigorously, which
should fix this bug. I've notified all registered users of the script to
upgrade immediately.

The fix is a quick and ugly one, and does not allow for international
characters in either the name or the email, and thus does not allow for
several perfectly valid email addresses, but also should eliminate the
vulnerability. Names now are stripped of everything but A-Za-z0-9-_.'
and emails of everything but A-Za-z0-9-_.@ .

Btw, and just as a side note, does anyone actually notify the writer of
the script/software/whatever that has an exploit anymore? (I mean besides
just posting to BugTraq?) It would have been nice to see a note about this
before seeing it here. :-)

Kristina