Re: A security vulnerability in S8Forum

From: Steve Watt (steve@Watt.COM)
Date: 01/07/03

  • Next message: Albert Bendicho: "Re: Directory traversal bug in Communigate Pro 4's Webmail service" 
    From: steve@Watt.COM (Steve Watt)
Date: Mon, 6 Jan 2003 19:20:01 -0800
To: nmsh_sa@canada.com, bugtraq@securityfocus.com

    In article <20030105032650.16087.h011.c009.wm@mail.canada.com.criticalpath.net> you write:
    [ snip ]
    >SOLUTION :
    >==========
    [ snip ]
    > if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$",
    >$email) && $email !=
    >"") {

    Please note that there are many more characters valid in the LHS of an
    email address, for example +, that are often desirable. Disallowing
    such addresses is a major nuisance. A beautiful example is the useful
    feature in sendmail that allows user+whatever@dom.ain, which allows
    users to invent infinite variations on their email address for tracking
    spam database propagation.

    In this particular application, the error is more widespread than the
    fix you cite -- if you're going to allow random users to control file
    names on your system, you certainly shouldn't put the contents somewhere
    that a web server can directly find it.

    That bit of software seems to need a major review. 

    -- 
Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.8" / 37N 20' 14.9"
 Internet: steve @ Watt.COM                         Whois: SW32
   Free time?  There's no such thing.  It just comes in varying prices...
    • Quantcast