From andy at murren.org Tue Jul 8 11:27:58 2003 From: andy at murren.org (Andy Murren) Date: Thu Aug 5 00:29:20 2004 Subject: MCPM: Meeting Next Week Message-ID: <20030708162758.GC2018@murren.org> This is your monthly reminder about the next scheduled Morris County Perl Mongers Meeting on Tuesday 15 July at 7:30pm at the Dublin Pub in Morristown. Please respond to the list to let us know if you will be attending. Andy -- Andy Murren andy@murren.org From lorgee2000 at yahoo.com Tue Jul 8 12:17:55 2003 From: lorgee2000 at yahoo.com (Lorraine Gee) Date: Thu Aug 5 00:29:20 2004 Subject: MCPM: Meeting Next Week In-Reply-To: <20030708162758.GC2018@murren.org> Message-ID: <20030708171755.80350.qmail@web13602.mail.yahoo.com> Yes, as it looks right now, I will be attending. -- Ed Andy Murren wrote: This is your monthly reminder about the next scheduled Morris County Perl Mongers Meeting on Tuesday 15 July at 7:30pm at the Dublin Pub in Morristown. Please respond to the list to let us know if you will be attending. Andy -- Andy Murren andy@murren.org --------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/morriscounty-pm/attachments/20030708/2482934e/attachment.htm From swalker at walkertek.com Tue Jul 8 13:04:20 2003 From: swalker at walkertek.com (Stephen Walker) Date: Thu Aug 5 00:29:20 2004 Subject: MCPM: Meeting Next Week In-Reply-To: <20030708162758.GC2018@murren.org> Message-ID: <004401c3457b$5baca180$3300000a@ibmtb> I'll be there. Thanks, Steve -----Original Message----- From: owner-morriscounty@pm.org [mailto:owner-morriscounty@pm.org] On Behalf Of Andy Murren Sent: Tuesday, July 08, 2003 12:28 PM To: morriscounty@pm.org Subject: MCPM: Meeting Next Week This is your monthly reminder about the next scheduled Morris County Perl Mongers Meeting on Tuesday 15 July at 7:30pm at the Dublin Pub in Morristown. Please respond to the list to let us know if you will be attending. Andy -- Andy Murren andy@murren.org From andy at murren.org Tue Jul 15 08:52:27 2003 From: andy at murren.org (Andy Murren) Date: Thu Aug 5 00:29:20 2004 Subject: MCPM: Meeting Tonight Message-ID: <20030715135227.GA3366@murren.org> Tonight is our July meeting. Dublin Pub at 7:30pm. So far Steve and I will be there. Let me know if you plan on attending I will call ahead for a table. Andy -- Andy Murren andy@murren.org From andy at murren.org Tue Jul 15 15:37:26 2003 From: andy at murren.org (Andy Murren) Date: Thu Aug 5 00:29:20 2004 Subject: MCPM: Tonight Message-ID: <20030715203726.GB3366@murren.org> We have a reservation for ANDY for 6 people at 7:30, non-smoking section. Hope to see y'all there Andy -- Andy Murren andy@murren.org From lorgee2000 at yahoo.com Tue Jul 15 16:32:00 2003 From: lorgee2000 at yahoo.com (Lorraine Gee) Date: Thu Aug 5 00:29:20 2004 Subject: MCPM: Tonight In-Reply-To: <20030715203726.GB3366@murren.org> Message-ID: <20030715213200.86433.qmail@web13607.mail.yahoo.com> Yep, I'll be there - and I invited a consultant to join us (he's from Chicago, been here for weeks now & needs to get out of his hotel room). Ed Andy Murren wrote: We have a reservation for ANDY for 6 people at 7:30, non-smoking section. Hope to see y'all there Andy -- Andy Murren andy@murren.org --------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/morriscounty-pm/attachments/20030715/9b4c9c04/attachment.htm From swalker at walkertek.com Sun Jul 20 23:39:02 2003 From: swalker at walkertek.com (Stephen Walker) Date: Thu Aug 5 00:29:20 2004 Subject: MCPM: FW: [Full-Disclosure] CGI.pm vulnerable to Cross-site Scripting. Message-ID: <002801c34f42$087a3b50$f901a8c0@ibmtb> Thought you guys might be interested. Steve -----Original Message----- From: full-disclosure-admin@lists.netsys.com [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of obscure Sent: Sunday, July 20, 2003 6:10 PM To: Full Disclosure Subject: [Full-Disclosure] CGI.pm vulnerable to Cross-site Scripting. Advisory Title: CGI.pm vulnerable to Cross-site Scripting. Release Date: July 19 2003 Application: CGI.pm - which is by default included in many common Perl distributions. Platform: Most platforms. Tested on Apache and IIS. Version: CGI.pm Severity: Effects scripts which make use of start_form() Author: Obscure^ [ obscure@eyeonsecurity.org ] Vendor Status: first informed on 30th April 2003 Although the author told EoS that he will be releasing a fix within a week from his last correspondence (May15), no fix is out yet on his website. Web: http://stein.cshl.org/WWW/software/CGI/ http://eyeonsecurity.org/advisories/ Background. (extracted from http://stein.cshl.org/WWW/software/CGI/) This perl 5 library uses objects to create Web fill-out forms on the fly and to parse their contents. It provides a simple interface for parsing and interpreting query strings passed to CGI scripts. However, it also offers a rich set of functions for creating fill-out forms. Instead of remembering the syntax for HTML form elements, you just make a series of perl function calls. An important fringe benefit of this is that the value of the previous query is used to initialize the form, so that the state of the form is preserved from invocation to invocation. . Problem CGI.pm has the ability to create forms by making use of the start_form() function. The developer/perl scripter can also makes use of start_multipart_form() which relies on start_form() and is therefore vulnerable to the same issue. When the action for the form is not specified, it is given the value of $self->url(-absolute=>1,-path=>1) - which means that when the url is something like the following : http://host/script.pl?">some%20text