Akopia Akopia Services
[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: HACKED [mv] eWeek using Minivend in our openhack project

******    message to minivend-users from Ryan Hertz <rhertz@gyb.baits.com>     ******

At 10:01 PM 7/5/00 , you wrote:
>******    message to minivend-users from "Barry Treahy, Jr." 
><Treahy@mmaz.com>     ******
>
>I haven't tested this on MV 4, but on MV 3, I cannot reproduce it.  Anyone 
>else?

Seems to me that it isn't an issue with 3.x. *whew*


>Barry
>
>
> > ... minivend file view_page.html:
> >
> > ---cut here---
> > [elsif session arg =~ /^\/|\.\./]
> > ---cut here---
> >
> > does no proper input validation checks (they forgot about the "|" :)
> >
> > these two problems do allow http-request like:
> >
> > https://www.openhack.com/cgi-bin/eweekorcl/view_page.html?mv_arg=|ls|
> >
>
>-
>To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
>email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
>Archive of past messages: http://www.minivend.com/minivend/minivend-list


Ryan Hertz                                              tel  800-645-BAIT
Webmaster                                               fax  520-645-2588
Advertising Director                            http://yamamoto.baits.com
Gary Yamamoto Custom Baits, Inc.                http://www.insideline.net

-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
Search for: Match: Format: Sort by: