Re: CERT Advisory on malicious scripts

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 27022
interpreted = N
texte = >At 3:23 PM 2/3/00, Kenneth Grome wrote: >>> >CERT has released an advisory regarding web based systems, such as >>> >message boards, and their ability to include malicious scripts. Does >>> >anyone have any quick method for recognizing mailcious code from form >>> >entries processed by webCat? >>> >>> The simplest method to prevent this problem is to strip the < character >>>from your form values using a special db with convertchars to convert it >>>to nothing. This effectively prevents people from creating HTML tags. > >Would [url] encoding every user entered text field that is to be displayed >work as a quick stop gap? In otherwords, if someone has included any html >in their entries and that data is now in the database, and we want to >display it back to some other visitor, encoding it would make it, for >example, <form.... and so it wouldn't be recognized by the receiver's >browser as html.Yes, but it will also mess with other characters you probably don't want changed as they are displayed on the page ...================================ Kenneth Grome, WebDNA Consultant 808-737-6499, http://webdna.net ================================------------------------------------------------------------- Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server. To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

    
  1. Re: CERT Advisory on malicious scripts (Kenneth Grome 2000)
  2. Re: CERT Advisory on malicious scripts (Miguel Castaneda 2000)
  3. Re: CERT Advisory on malicious scripts (Kenneth Grome 2000)
  4. Re: CERT Advisory on malicious scripts (John Butler 2000)
  5. Re: CERT Advisory on malicious scripts (Joseph D'Andrea 2000)
  6. Re: CERT Advisory on malicious scripts (Kenneth Grome 2000)
  7. Re: CERT Advisory on malicious scripts (Joseph D'Andrea 2000)
  8. Re: CERT Advisory on malicious scripts (The Mooseman 2000)
  9. Re: CERT Advisory on malicious scripts (Alex McCombie 2000)
  10. Re: CERT Advisory on malicious scripts (Kenneth Grome 2000)
  11. CERT Advisory on malicious scripts (Joseph D'Andrea 2000)
>At 3:23 PM 2/3/00, Kenneth Grome wrote: >>> >CERT has released an advisory regarding web based systems, such as >>> >message boards, and their ability to include malicious scripts. Does >>> >anyone have any quick method for recognizing mailcious code from form >>> >entries processed by webCat? >>> >>> The simplest method to prevent this problem is to strip the < character >>>from your form values using a special db with convertchars to convert it >>>to nothing. This effectively prevents people from creating HTML tags. > >Would [url] encoding every user entered text field that is to be displayed >work as a quick stop gap? In otherwords, if someone has included any html >in their entries and that data is now in the database, and we want to >display it back to some other visitor, encoding it would make it, for >example, <form.... and so it wouldn't be recognized by the receiver's >browser as html.Yes, but it will also mess with other characters you probably don't want changed as they are displayed on the page ...================================ Kenneth Grome, WebDNA Consultant 808-737-6499, http://webdna.net ================================------------------------------------------------------------- Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server. To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Database changes (1998) [taxRate] [TaxTotal] ? (1997) [OT] Mom's gift (2006) WebCat b13 CGI -shownext- (1997) texta,b,c,d,e (urgent) (2003) Emailer setup (1997) Next X hits (1996) WebDNA Solutions ... (1997) New Plug-in and Type 11 errors (1997) WC2.0 Memory Requirements (1997) WebCatalog can't find database (1997) date formatting for CC card expiration date check (1998) the dreaded unitShipCost (2003) [text] variable assignment within [search] context (2000) addlineitem is not saving a variable. (2004) Just Testing (1997) Emailer problem....still (1997) WebCat2b13 Mac plugin - [sendmail] and checkboxes (1997) Nested Loops and SHOWIFs (1997) syntax question, not in online refernce (1997)