Filter pipe command - Programmers Heaven

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Filter pipe command

davidrtgdavidrtg Posts: 95Member
Whats the best way to filter out the | (pipe) command from form inputs?

Our site was hacked using 'script.cgi?page=index.html|cat%20telnet.pl|' and I need to find a way to stop that.

Thanks,
David

Comments

  • davidrtgdavidrtg Posts: 95Member
    : Whats the best way to filter out the | (pipe) command from form inputs?
    :
    : Our site was hacked using 'script.cgi?page=index.html|cat%20telnet.pl|' and I need to find a way to stop that.
    :
    : Thanks,
    : David
    :

    I just added a s/|//g to the query string and that seems to do the trick.
  • JonathanJonathan Posts: 2,914Member
    : : Whats the best way to filter out the | (pipe) command from form inputs?
    : :
    : : Our site was hacked using 'script.cgi?page=index.html|cat%20telnet.pl|' and I need to find a way to stop that.
    : :
    : : Thanks,
    : : David
    : :
    :
    : I just added a s/|//g to the query string and that seems to do the trick.
    :
    No, no. You validate your input data for what is ALLOWED, not try and hack out the disallowed stuff (most of the time, anyway). So check your input against a pattern like /^[w.-]+$/. Otherwise I can just supply /etc/passwd as the file and off we go again.

    Read this:-
    http://www.jwcs.net/~jonathan/cgisecurity.htm

    Jonathan

    ###
    for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
    (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
    /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");

Sign In or Register to comment.