Re: CERT Advisory on malicious scripts
This WebDNA talk-list message is from 2000
It keeps the original formatting.
numero = 27022
interpreted = N
texte = >At 3:23 PM 2/3/00, Kenneth Grome wrote:>>> >CERT has released an advisory regarding web based systems, such as>>> >message boards, and their ability to include malicious scripts. Does>>> >anyone have any quick method for recognizing mailcious code from form>>> >entries processed by webCat?>>>>>> The simplest method to prevent this problem is to strip the < character>>>from your form values using a special db with convertchars to convert it>>>to nothing. This effectively prevents people from creating HTML tags.>>Would [url] encoding every user entered text field that is to be displayed>work as a quick stop gap? In otherwords, if someone has included any html>in their entries and that data is now in the database, and we want to>display it back to some other visitor, encoding it would make it, for>example, <form.... and so it wouldn't be recognized by the receiver's>browser as html.Yes, but it will also mess with other characters you probably don't want changed as they are displayed on the page ...================================Kenneth Grome, WebDNA Consultant808-737-6499, http://webdna.net================================-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to
.This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Associated Messages, from the most recent to the oldest:
>At 3:23 PM 2/3/00, Kenneth Grome wrote:>>> >CERT has released an advisory regarding web based systems, such as>>> >message boards, and their ability to include malicious scripts. Does>>> >anyone have any quick method for recognizing mailcious code from form>>> >entries processed by webCat?>>>>>> The simplest method to prevent this problem is to strip the < character>>>from your form values using a special db with convertchars to convert it>>>to nothing. This effectively prevents people from creating HTML tags.>>Would [url] encoding every user entered text field that is to be displayed>work as a quick stop gap? In otherwords, if someone has included any html>in their entries and that data is now in the database, and we want to>display it back to some other visitor, encoding it would make it, for>example, <form.... and so it wouldn't be recognized by the receiver's>browser as html.Yes, but it will also mess with other characters you probably don't want changed as they are displayed on the page ...================================Kenneth Grome, WebDNA Consultant808-737-6499, http://webdna.net================================-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Kenneth Grome
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Database changes (1998)
[taxRate] [TaxTotal] ? (1997)
[OT] Mom's gift (2006)
WebCat b13 CGI -shownext- (1997)
texta,b,c,d,e (urgent) (2003)
Emailer setup (1997)
Next X hits (1996)
WebDNA Solutions ... (1997)
New Plug-in and Type 11 errors (1997)
WC2.0 Memory Requirements (1997)
WebCatalog can't find database (1997)
date formatting for CC card expiration date check (1998)
the dreaded unitShipCost (2003)
[text] variable assignment within [search] context (2000)
addlineitem is not saving a variable. (2004)
Just Testing (1997)
Emailer problem....still (1997)
WebCat2b13 Mac plugin - [sendmail] and checkboxes (1997)
Nested Loops and SHOWIFs (1997)
syntax question, not in online refernce (1997)