-
New CGI bug
The search.cgi script included with the AHG Search Engine does not adequately filter input. Due to lack of sufficient input sanitization, it is possible for a remote user to pass semi-colon (;) and pipe (|) characters through a search request. This can result in the commands encapsulated between the symbols being executed with the privileges of the web server.
Read more at www.xatrix.org
-
Jesus, you'd think they'd check for these things...escape both the pipe | and the semicolon ; you fsck-nuts! Do LITERAL translation and you can botch things...do escaped translations and you'll be fine! Check length, bad chars, etc etc... *sigh* I can tell they hired a n00b. I'm not saying I've never done things like that before but I know when I send something out the door with my name on it code-wise, I've looked at it repeatedly and tried to break it internally.