Sunday, October 07, 2007
Wake up and smell the input validation
The Gentoo server got "owned" a while back through a command injection vulnerability in the packages page search function. No biggie, it happens...
That was two months ago and the page is still down. To quote the page "Please bear with us as we audit the code for the online packages database".
Wake up... its called INPUT VALIDATION. Validate your input and only permit the search function to search the database not execute operating system commands. It scares me that such technical people are having trouble fixing such basic functionality and most of all its a PITA being without the package search functionality.
That was two months ago and the page is still down. To quote the page "Please bear with us as we audit the code for the online packages database".
Wake up... its called INPUT VALIDATION. Validate your input and only permit the search function to search the database not execute operating system commands. It scares me that such technical people are having trouble fixing such basic functionality and most of all its a PITA being without the package search functionality.
