Very Computer

by **Rodger Donalds** » Wed, 10 Oct 2001 17:59:24

I've got a problem, and I'm not having much luck working up a solution.

I have a (shoddily written) application server it is my displeasure to have
to work with. Under certain circumstances, it is possible to embed code in
browser supplied information (for example, the user-agent and referer
fields), and have that code executed by the application server with whatever
system and DB privs the app server has been granted. The potential for
problems is, well, obvious[1].

Since the vendore doesn't regard this as a problem(!!) I'm looking for ways
to sanitise fields passed to the app server by its plug-in, and Apache is a
good place to start.

Unfortunately, while I can use mod_rewrite and SetEnvIf to set environment
variables if dangerous characters are passed in the relevant fields, I can't
see any way of changing the user agent or referer the browser sends.

Am I:

1/ Looking for something that doesn't exist (ie in for a lot of painful
conversations with the vendor and sitewide code patches).
2/ Thick (ie missing something obvious).

--

La Cicciolina [...] Electing her was an interesting contrast to the
situation in the UK: In Italy they elect a representative from the sex
industry. In the UK, they elect their clients. -- Peter Gutmann

by **Dr Hackenbus** » Thu, 11 Oct 2001 02:49:34

You should publicise the name of the App server and the vendor so
their
product can be compromised by the burgeoning black-hat community.

That way, they'll go out of business and you can get on with your
life.

> I've got a problem, and I'm not having much luck working up a
solution.

> I have a (shoddily written) application server it is my displeasure
to have
> to work with. Under certain circumstances, it is possible to embed
code in
> browser supplied information (for example, the user-agent and
referer
> fields), and have that code executed by the application server with
whatever
> system and DB privs the app server has been granted. The potential
for
> problems is, well, obvious[1].

> Since the vendore doesn't regard this as a problem(!!) I'm looking
for ways
> to sanitise fields passed to the app server by its plug-in, and
Apache is a
> good place to start.

> Unfortunately, while I can use mod_rewrite and SetEnvIf to set
environment
> variables if dangerous characters are passed in the relevant fields,
I can't
> see any way of changing the user agent or referer the browser sends.

> Am I:

> 1/ Looking for something that doesn't exist (ie in for a lot of
painful
> conversations with the vendor and sitewide code patches).
> 2/ Thick (ie missing something obvious).

> --

> La Cicciolina [...] Electing her was an interesting contrast to the
> situation in the UK: In Italy they elect a representative from the
sex
> industry. In the UK, they elect their clients. -- Peter Gutmann

by **Rodger Donalds** » Thu, 11 Oct 2001 04:48:01

On Tue, 9 Oct 2001 13:49:34 -0400, Dr Hackenbush

>You should publicise the name of the App server and the vendor so
>their
>product can be compromised by the burgeoning black-hat community.

The product flaw is now well-known in the community of people working with
it.

I'm reluctant to publicise any more details about the vendor and product
until there are some good workarounds in place.

--

"The large print giveth, and the small print taketh away."

Very Computer

Apache query - modifying User-Agent

Apache query - modifying User-Agent

Apache query - modifying User-Agent

Apache query - modifying User-Agent