OK, I couldn’t resist pointing out all the problems in the code on  Of course, they said they’re not going to post any comments until Friday so there are no spoilers.  Which points out another vulnerability, as I’m about to spoil it.  Don’t continue if you want to try it yourself.

“OK, I can’t resist.

Mainly, this script is backwards – it cleans a few known dangerous characters rather than only allowing known good characters.  In fact, it still allows most ASCII characters including things that have special meanings to shell, etc., like !, *, etc.  It allows % so could do a format string attack on printf.  It allows url encoded characters other than \n and \r.  It allows ASCII / hex encoding so you could pass a control (^), ESC, etc.  It doesn’t prevent buffer overflows.

Also, it returns the original URL, which hasn’t been cleaned.  No point in trying to clean it then accessing the tainted variable later.  Dump it.

Finally, it’s in PHP.  :-)”



One Response to “”

  1. johnnycocaine Says:

    Oh, did I mention, that you can pass all those characters to a variety of services, not just http? E.g., passing a ^D (Control-D) to telnet:// would, I think, disconnect the session.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: