09-24-2008
That's a cross-site scripting vulnerability at its finest. Are you asking how to prevent this on a design level? Never trust user-supplied data.
It's not clear what values for p you want to continue to allow, but the basic principle should be "deny everything except a well-known set" and so a simple implementation would be to default to accueil.html unless p is one from a small set of other pages you want to allow. (A simple but, on the face of it, reasonably safe generalization would be to only allow values for p which do not contain any slash, encoded or otherwise. But "encoded or otherwise" can constitute a large security hole, too. Are you sure you know all the ways a slash could end up as the result of URL parsing?)
6 More Discussions You Might Find Interesting
1. IP Networking
Hello all.
This is my first post and thank you for your forum.
Here is my question.
I have a simple setup at home and I was capturing some data with wireshark.
Data between a workstation and the web server, requesting a page.
Simple enough.
Now when I open wireshark, I apply the TCP... (4 Replies)
Discussion started by: squaresphere
4 Replies
2. Shell Programming and Scripting
hi
am senthil
am developing a software to send and receive SMS using HTTP connection
first of all am forming a URL and sending that URL to a remote server using my Client Program
i send that url through Socket(using Send() Function)
if i send more than one URL one by one using the same... (4 Replies)
Discussion started by: senkerth
4 Replies
3. Programming
Hi all,
Need a help in PHP scripting.
Am automating a process in web page. The process is
1. i have to open that web page using the user credentials (Username and password).
2. select a drop down and click submit button.
3. Then check for the status of the page.
Please help me how to... (1 Reply)
Discussion started by: vidhyaS
1 Replies
4. Web Development
Hypertext Transfer Protocol -- HTTP/1.1 for Reference - HTTP Headers
10 Status Code Definitions
Each Status-Code is described below, including a description of which method(s) it can follow and any metainformation required in the response. (1 Reply)
Discussion started by: Neo
1 Replies
5. Solaris
Hi,
I need to disable HTTPD debugging method in one server. I added the entry 'TraceEnable off' in /etc/apache/httpd.conf.
I restart httpd for the changes to take effect, however I realize now that httpd is actually 'disabled'.
When I try to enable httpd, it shows the status as being in... (1 Reply)
Discussion started by: anaigini45
1 Replies
6. Shell Programming and Scripting
Hi,
I'm trying to write a script to determine the time gap between HTTP PUT and HTTP DELETE requests in the HTTP Servers access log.
Normally client will do HTTP PUT to push content e.g. file_1.txt and 21 seconds later it will do HTTP DELETE, but sometimes the time varies causing some issues... (3 Replies)
Discussion started by: Juha
3 Replies
LEARN ABOUT DEBIAN
makepercentrelay
MAKEPERCENTRELAY(8) Double Precision, Inc. MAKEPERCENTRELAY(8)
NAME
makepercentrelay - Build a list of %-relayed domains
SYNOPSIS
makepercentrelay
DESCRIPTION
makepercentrelay reads /etc/courier/esmtppercentrelay.dir and creates /etc/courier/esmtppercentrelay.dat which is a binary database file.
The files /etc/courier/esmtppercentrelay and /etc/courier/esmtppercentrelay.dat specify a list of "percent-hack" domains.
/etc/courier/esmtppercentrelay is a plain text file, containing one domain per line. The Courier mail server loads the contents of
/etc/courier/esmtppercentrelay into memory, so if you have a lot of domains, you will want to use the binary database file. The
makepercentrelay command reads /etc/courier/esmtppercentrelay.dir, which can be either a plain text file itself, or a directory containing
plain text files. All files in the subdirectory are concatenated, and the binary database file is created from the result.
the Courier mail server can use both /etc/courier/esmtppercentrelay and /etc/courier/esmtppercentrelay.dat at the same time. Usually you
would put a couple of your most frequent domains in /etc/courier/esmtppercentrelay, then put the rest in
/etc/courier/esmtppercentrelay.dir, and use makepercentrelay to turn it into a database file.
"percent-hack" domains are a list of domains for which the Courier mail server accepts mail via ESMTP addressed as
"local%percent.hack.domain@local.domain", where "percent.hack.domain" is a domain found in /etc/courier/esmtppercentrelay or
/etc/courier/esmtppercentrelay.dat, and "local.domain" is any domain found in /etc/courier/locals. The Courier mail server removes the
local domain, and rewrites the address as "local@percent.hack.domain", then attempts to deliver it.
The percent hack applies only to mail received via ESMTP. The Courier mail server does not check this list of domains if the message is
received via any other way (such as by running /usr/bin/sendmail directly from the command line). "percent.hack.domain" would likely to be
a domain that the Courier mail server knows how to handle via some other means. It might be an entry in /etc/courier/aliases, or an entry
in /etc/courier/esmtproutes.
SEE ALSO
esmtpd(8)[1], makealiases(8)[2].
AUTHOR
Sam Varshavchik
Author
NOTES
1. esmtpd(8)
[set $man.base.url.for.relative.links]/esmtpd.html
2. makealiases(8)
[set $man.base.url.for.relative.links]/makealiases.html
Courier Mail Server 08/30/2011 MAKEPERCENTRELAY(8)