Request to merge: new-updxlrtr-v3.0: Enabling GET-Params for %xlrtrsettings

Michael Tremer michael.tremer at ipfire.org
Fri Apr 26 12:35:41 CEST 2013


On Thu, 2013-04-25 at 13:55 +0200, Jörn-Ingo Weigert wrote:
> I'm not really happy about re-implementing basic Features of HTML via
> JS,
> just cause of a limited processing (and thats what this return if...
> is)

No, it is a lot easier to make this kind of attack - without JS. All the
JS interpreters in modern browsers have a restriction that they cannot
send requests across different domains. That does not count for image
URL, etc.

For example the following code would indeed work:
 <img src="https://192.168.1.1:444/cgi-bin/exploitable.cgi?blah=blubb" ...>

You cannot send POST requests that easy.

> Sure, if there is a better solution to only on GET and POST methods it
> would be great to implement

My proposal would be to create a new function which only reads the query
string and returns a hash array with all the attributes that you want to
have. All the rest is ignored. For example:

# URL: https://192.168.1.1:444/cgi-bin/some.cgi?param1=123
my @values = ("param1");
my %hash = getquerystring(@values);
print $hash{'param1'};
> 123

This leaves getcgihash untouched, so we don't create new problems here.

-Michael




More information about the Development mailing list