EnDe
commented
4 years ago this is a bug, but the check for malicious arguments fails only if the last argument end with a digit
Closed achim-owasp closed 4 years ago
EnDe
commented
4 years ago this is a bug, but the check for malicious arguments fails only if the last argument end with a digit
EnDe
commented
4 years ago Issue documented internal in o-saft.cgi.
EnDe
commented
4 years ago Looking pedantically it's a bug, but it may occour in rare situations only, and only when testing. It should not occour when used as real CGI as there it must be the very last parameter from the corresponding web page. Hence I leave the issue closed and label is as "enhancement" instead of "bug".
o-saft.cgi --cgi --host=some.tld --cmd=+cn --exit=BEGIN0 fails, does not execute o-saft.pl