Variables encoded twice

Armin Wolfermann aw at osn.de
Fri Aug 1 10:50:27 CEST 2008


* Bernd Arnold <bernd_a at gmx.de> [31.07.2008 21:04]:
> 1.49 is titled "XSS vulnerability fixes".
> 
> I don't know the depth of security, but unencoded strings can change
> the behavior if something like special characters (' < > &) are
> submitted. I think it's important that such things are encrypted,
> though I also think it's sufficient when a function like PHP's
> htmlentities function is used (keeps spaces as spaces, not +). Maybe
> host_name for example cannot contain such characters, but it's safer
> to encode everything.

The submitted parameters are processed by sanitize_cgi_input() at the
start of the CGI. There is no added security if we process them again at
this point.

Example: If you have a host with the name SDSL:Customer you can call
avail.cgi for the first time with no problems. But if you change the
timeperiod and resubmit, the hostname is converted to SDSL%3ACustomer
and you get an error.

Regards,
Armin Wolfermann
OSN Online Service Nuremberg

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/




More information about the Developers mailing list