Hi all,
I think one of our users has found a bug with the dspam.cgi
quarantine. If someone puts in an alert string of "*.dtcc.edu", it
will cause the cgi to error out. It seems that it uses perl regular
expressions and that string doesn't follow the rule. Something like
"dtcc.edu" and "From:.*dtcc.edu" work fine. I believe this is
because the * needs to follow another character (usually a . in
regexps).
Should there be more checks on the string that can be entered there?
I wonder if this input field can be further exploited, like someone
putting in system("ls /") or something stupid.
-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Pat Hennessy, RHCE (path@dtcc.edu) Senior Systems Specialist Systems, Stanton/Wilmington Campus Delaware Technical and Community College =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Received on Fri Aug 26 09:41:56 2005
This archive was generated by hypermail 2.1.8 : Thu Sep 29 2005 - 13:51:29 EDT