Re: CERT Advisory on malicious scripts
This WebDNA talk-list message is from 2000
It keeps the original formatting.
numero = 27022
interpreted = N
texte = >At 3:23 PM 2/3/00, Kenneth Grome wrote:>>> >CERT has released an advisory regarding web based systems, such as>>> >message boards, and their ability to include malicious scripts. Does>>> >anyone have any quick method for recognizing mailcious code from form>>> >entries processed by webCat?>>>>>> The simplest method to prevent this problem is to strip the < character>>>from your form values using a special db with convertchars to convert it>>>to nothing. This effectively prevents people from creating HTML tags.>>Would [url] encoding every user entered text field that is to be displayed>work as a quick stop gap? In otherwords, if someone has included any html>in their entries and that data is now in the database, and we want to>display it back to some other visitor, encoding it would make it, for>example, <form.... and so it wouldn't be recognized by the receiver's>browser as html.Yes, but it will also mess with other characters you probably don't want changed as they are displayed on the page ...================================Kenneth Grome, WebDNA Consultant808-737-6499, http://webdna.net================================-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to
.This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Associated Messages, from the most recent to the oldest:
>At 3:23 PM 2/3/00, Kenneth Grome wrote:>>> >CERT has released an advisory regarding web based systems, such as>>> >message boards, and their ability to include malicious scripts. Does>>> >anyone have any quick method for recognizing mailcious code from form>>> >entries processed by webCat?>>>>>> The simplest method to prevent this problem is to strip the < character>>>from your form values using a special db with convertchars to convert it>>>to nothing. This effectively prevents people from creating HTML tags.>>Would [url] encoding every user entered text field that is to be displayed>work as a quick stop gap? In otherwords, if someone has included any html>in their entries and that data is now in the database, and we want to>display it back to some other visitor, encoding it would make it, for>example, <form.... and so it wouldn't be recognized by the receiver's>browser as html.Yes, but it will also mess with other characters you probably don't want changed as they are displayed on the page ...================================Kenneth Grome, WebDNA Consultant808-737-6499, http://webdna.net================================-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Kenneth Grome
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
how to add to triggers.db (1998)
How can I record purchases to a database? (1998)
WebCatalog v2.1.1 (1998)
NT beta ReadMe missing (b12-b15) (1997)
New One (for me).... Error type 12 (1999)
XMLPASE and Amazon XML feeds (2004)
Multiple catalog databases and showcart (1997)
please anybody help (2005)
Re:Why did PCS send me this? (1999)
Emailer setup (1997)
Summing fields (1997)
Interfacing WebMerchant to www.fedex.com (1997)
Multiple fields on 1 input (1997)
PIXO support (1997)
change the number format (1997)
Fuzzy on [url] context (1998)
WebDNA on Linux (2005)
wild question (1998)
Cart doesn't interpret tag! (1997)
Grep and Special Characters (2002)