Richard Stallman wrote:
I don't personally do most of our web site maintenance, of course.
But I take responsibility for removing this link if it should not be
there.
Can you tell the FSF web programmers to do more checking for HTML/SQL
injection vulnerabilities?
I have found a vulnerability with your FSF search engine.
http://z505.com/gng/fsf-gnu-site-easy-to-hack.htm
Your programmers should check POST/GET variables and in many cases only
allow alpha numeric characters in by default. Not through javascript but
at the server side during processing. Your search engine allows bad
characters in.. ones that can damage the site or cause malicious theft
of logins or other data through cross site scripting.. by embedding
forms/input boxes into the site that post to another domain.
In the framework I develop, this problem is secured by default...
The functions I use for getting a post/get variables, trim malicious
attempts.. while the programmer can choose to use the insecure non
default raw function if he really needs to:
http://z505.com/cgi-bin/powtils/docs/1.6/idx.cgi?file=getcgivar&unit=pwumain
http://z505.com/cgi-bin/powtils/docs/1.6/idx.cgi?file=getcgivar_s&unit=pwumain
I suggest your web programmers read up on how to secure web programs by
reading about what my GetCgiVar functions do, or by finding articles on
the net that explain how you have to filter/check each incoming POST/GET
request carefully each time.
I would have sent this privately to you, but many people will find this
security info useful and humorous. It is my duty to teach people about
web security, and only privately mailing you would mean thousands of
people that read this list would miss out on learning about HTML
injection. Plenty of large popular websites I visit are insecure in this
very manner.
Since this vulnerability is unfortunately exposed publicly.. fixing it
before too many people notice it would be good.
Regards,
L505
