Sometimes "dumb users" can be quite creative:
<a href="http://sitefinder.verisign.com/lpc?url='%3E%3Cimg%20src=http://www.patrick.fm/boobies/boobies.php?text=VeriSign%3E";>I Love VeriSign</a> [...]
> No matter how foolproof you make, the fools keep getting smarter. > > Chuck
That's not entirely true. As this examples shows, VeriSign programmers made a very stupid mistake causing the cross-site scripting vulnerability. They assumed they know how the input looks like, so there's no need to properly quote it before printing.
Making their website show nudity may be funny but reading their users' cookies and personal login information might be much less funny. It could be easily avoided.
If anything an attacker has to do in order to break their security is to fool any one of their users to click a link *.verisign.com/x=%20%22%27%3E... (or even automatically redirect anyone to such a link) then it is a very serious and easily expliotable vulnerability.
Considering VeriSign's gigantic user base and the rank of information they manage (not to mention it's a website to which they will point any non-existing DNS records very soon) it's absolutely terrifying. I would immediately fire anyone responsible for this flaw without asking any question.
The bottom line is: you can write a foolproof CGI script. It's not even very hard. Use CGI.pm with $CGI::POST_MAX (and $CGI::DISABLE_UPLOADS when appropriate) to get the input. Use CGI::Untaint to validate it. Use DBI placeholders and html-escape any printed data coming from user. Use the taint mode.
Don't give up just because fools keep getting smarter.
-- ZSDC Perl and Systems Security Consulting
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
