Date: Wed, 24 Jun 1998 21:47:13 -0400
From: Matt Wright <[email protected]>
To: [email protected]Subject: TextCounter: SECURITY HOLE PLUGGED!
Thanks to all of those at BugTraq who forwarded me the security hole info
on TextCounter. Sometimes it takes those 15 messages to get my attention
as I usually don't get through all my e-mail these days (The author
apparently did send me the warning about 8 days ago, but I hadn't read it
yet). :(
At any rate, I've spent about half the day today updating the TextCounter
in order to plug this security hole, which was present in both the Perl
and C++ Versions. I used a slightly different approach than the one
originally proposed in the alert message. This new approach causes count
data files to be named slightly differently, as all non-word characters
(anything besides a-z, A-Z and 0-9) are turned into an underscore.
The new versions posted at my site come with the fixed source and a small
perl script called convert.pl which will update your data filenames from
v1.2 to v1.2.1 (or v1.3 to v1.3.1 if you use the C++ version).
I also addded some memory de-allocation to the C++ version which was
missing originally and made the same bug fix that v1.2.1 in Perl
received. convert.pl will work with the C++ data files in the same way
as both end up with the same names.
You can obtain the fixed versions at:
(Perl) http://www.worldwidemart.com/scripts/textcounter.shtml
(C++) http://www.worldwidemart.com/scripts/C++/textcounter.shtml
Another short fix, which I don't believe is nearly as good as simply
changing everything in the DOCUMENT_URI, is putting '.shtml/' into
your @invalid_uri. It was already in mine for other reasons, so I
never noticed the attacks, though I think there are ways of getting
around that fix, so I would recommend simply downloading and installing
the new version.
It is also possible that the new naming scheme could create a few
conflicts where two pages want the same name. There is a fairly slight
chance of this happening, but if it becomes a problem for anyone, let
me know and we'll try to find a work-around for that.
Please let me know if there are any other gaping security holes or if
this one has not been adequately fixed.
Thanks,
Matt Wright
********** The CGI Resource Index --> http://www.cgi-resources.com/ **********
Matt Wright, [email protected], http://www.worldwidemart.com/mattw/
Matt's Script Archive, Free CGI scripts, http://www.worldwidemart.com/scripts/
************ CGI/Perl Cookbook -> http://www.cgi-perl.com/promo/ *************
