|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: CGI.pm vulnerable to Cross-site Scripting
From: Erwann CORVELLEC (Erwann.Corvellec
free.fr)
Date: Wed Jul 23 2003 - 03:20:12 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Le 22/07/2003 18:57, Lincoln Stein a écrit :
> But this was fixed long ago in version 2.94. We're at version 2.98 now. The
> most up-to-date copy is always in CPAN.
Please find attached the patch against CGI.pm version 2.98.
--
Erwann Corvellec
--- CGI.pm.ori 2003-06-18 21:57:21.000000000 +0200
+++ CGI.pm 2003-07-23 09:53:18.000000000 +0200
-1641,7 +1641,7
unless (defined $action) {
$action = $self->url(-absolute=>1,-path=>1);
if (length($ENV{QUERY_STRING})>0) {
- $action .= "?$ENV{QUERY_STRING}";
+ $action .= '?' . $self->escapeHTML($ENV{QUERY_STRING},1);
}
}
$action =~ s/\"/%22/g; # fix cross-site scripting bug reported by obscure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]