Re: CERT Advisory on malicious scripts

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 27022
interpreted = N
texte = >At 3:23 PM 2/3/00, Kenneth Grome wrote: >>> >CERT has released an advisory regarding web based systems, such as >>> >message boards, and their ability to include malicious scripts. Does >>> >anyone have any quick method for recognizing mailcious code from form >>> >entries processed by webCat? >>> >>> The simplest method to prevent this problem is to strip the < character >>>from your form values using a special db with convertchars to convert it >>>to nothing. This effectively prevents people from creating HTML tags. > >Would [url] encoding every user entered text field that is to be displayed >work as a quick stop gap? In otherwords, if someone has included any html >in their entries and that data is now in the database, and we want to >display it back to some other visitor, encoding it would make it, for >example, <form.... and so it wouldn't be recognized by the receiver's >browser as html.Yes, but it will also mess with other characters you probably don't want changed as they are displayed on the page ...================================ Kenneth Grome, WebDNA Consultant 808-737-6499, http://webdna.net ================================------------------------------------------------------------- Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server. To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

    
  1. Re: CERT Advisory on malicious scripts (Kenneth Grome 2000)
  2. Re: CERT Advisory on malicious scripts (Miguel Castaneda 2000)
  3. Re: CERT Advisory on malicious scripts (Kenneth Grome 2000)
  4. Re: CERT Advisory on malicious scripts (John Butler 2000)
  5. Re: CERT Advisory on malicious scripts (Joseph D'Andrea 2000)
  6. Re: CERT Advisory on malicious scripts (Kenneth Grome 2000)
  7. Re: CERT Advisory on malicious scripts (Joseph D'Andrea 2000)
  8. Re: CERT Advisory on malicious scripts (The Mooseman 2000)
  9. Re: CERT Advisory on malicious scripts (Alex McCombie 2000)
  10. Re: CERT Advisory on malicious scripts (Kenneth Grome 2000)
  11. CERT Advisory on malicious scripts (Joseph D'Andrea 2000)
>At 3:23 PM 2/3/00, Kenneth Grome wrote: >>> >CERT has released an advisory regarding web based systems, such as >>> >message boards, and their ability to include malicious scripts. Does >>> >anyone have any quick method for recognizing mailcious code from form >>> >entries processed by webCat? >>> >>> The simplest method to prevent this problem is to strip the < character >>>from your form values using a special db with convertchars to convert it >>>to nothing. This effectively prevents people from creating HTML tags. > >Would [url] encoding every user entered text field that is to be displayed >work as a quick stop gap? In otherwords, if someone has included any html >in their entries and that data is now in the database, and we want to >display it back to some other visitor, encoding it would make it, for >example, <form.... and so it wouldn't be recognized by the receiver's >browser as html.Yes, but it will also mess with other characters you probably don't want changed as they are displayed on the page ...================================ Kenneth Grome, WebDNA Consultant 808-737-6499, http://webdna.net ================================------------------------------------------------------------- Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server. To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

how to add to triggers.db (1998) How can I record purchases to a database? (1998) WebCatalog v2.1.1 (1998) NT beta ReadMe missing (b12-b15) (1997) New One (for me).... Error type 12 (1999) XMLPASE and Amazon XML feeds (2004) Multiple catalog databases and showcart (1997) please anybody help (2005) Re:Why did PCS send me this? (1999) Emailer setup (1997) Summing fields (1997) Interfacing WebMerchant to www.fedex.com (1997) Multiple fields on 1 input (1997) PIXO support (1997) change the number format (1997) Fuzzy on [url] context (1998) WebDNA on Linux (2005) wild question (1998) Cart doesn't interpret tag! (1997) Grep and Special Characters (2002)