Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

Filter pipe command

davidrtgdavidrtg Posts: 95Member
Whats the best way to filter out the | (pipe) command from form inputs?

Our site was hacked using 'script.cgi?page=index.html|cat%20telnet.pl|' and I need to find a way to stop that.

Thanks,
David

Comments

  • davidrtgdavidrtg Posts: 95Member
    : Whats the best way to filter out the | (pipe) command from form inputs?
    :
    : Our site was hacked using 'script.cgi?page=index.html|cat%20telnet.pl|' and I need to find a way to stop that.
    :
    : Thanks,
    : David
    :

    I just added a s/|//g to the query string and that seems to do the trick.
  • JonathanJonathan Posts: 2,914Member
    : : Whats the best way to filter out the | (pipe) command from form inputs?
    : :
    : : Our site was hacked using 'script.cgi?page=index.html|cat%20telnet.pl|' and I need to find a way to stop that.
    : :
    : : Thanks,
    : : David
    : :
    :
    : I just added a s/|//g to the query string and that seems to do the trick.
    :
    No, no. You validate your input data for what is ALLOWED, not try and hack out the disallowed stuff (most of the time, anyway). So check your input against a pattern like /^[w.-]+$/. Otherwise I can just supply /etc/passwd as the file and off we go again.

    Read this:-
    http://www.jwcs.net/~jonathan/cgisecurity.htm

    Jonathan

    ###
    for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
    (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
    /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");

Sign In or Register to comment.