SafeHTML Lets Users Bypass the Filtering With Decimal HTML Entities and \x00 Symbols
|
|
SecurityTracker Alert ID: 1013315 |
|
SecurityTracker URL: http://securitytracker.com/id/1013315
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 28 2005
|
Impact:
Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 1.3.0
|
Description:
A vulnerability was reported in SafeHTML. The software may not properly filter certain HTML codes.
The software may not properly filter decimal HTML entities and code containing the \x00 symbol. As a result, potentially malicious code may not be properly prevented by SafeHTML.
|
Impact:
The software may fail to block malicious HTML code.
|
Solution:
The vendor has issued a fixed version (1.3.0 and later), available at:
http://pixel-apes.com/safehtml/
|
Vendor URL: pixel-apes.com/safehtml/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 28 Feb 2005 00:31:10 -0500
Subject: http://pixel-apes.com/safehtml/
|
> Two security holes with decimal HTML entities and with the \x00 symbol were fixed.
|
|
