SafeHTML Lets Users Bypass the Filtering With Decimal HTML Entities and \x00 Symbols
|
|
SecurityTracker Alert ID: 1013315
|
|
SecurityTracker URL: http://securitytracker.com/id?1013315
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 28 2005
|
Impact: Modification of system information, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.3.0
|
Description: A vulnerability was reported in SafeHTML. The software may not properly filter certain HTML codes.
The software may not properly filter decimal HTML entities and code containing the \x00 symbol. As a result, potentially malicious code may not be properly prevented by SafeHTML.
|
Impact: The software may fail to block malicious HTML code.
|
Solution: The vendor has issued a fixed version (1.3.0 and later), available at:
http://pixel-apes.com/safehtml/
|
Vendor URL: pixel-apes.com/safehtml/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 28 Feb 2005 00:31:10 -0500
Subject: http://pixel-apes.com/safehtml/
|
> Two security holes with decimal HTML entities and with the \x00 symbol were fixed.
|
|
