|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Hotmail security hole - injecting JavaScript using <IMG
Subject: Re: Hotmail security hole - injecting JavaScript using
On Wed, Jan 05, 2000 at 10:59:52PM -0500, Ajax wrote:
No, it is not. Why are everybody missing the obvious here?
It is TRIVIAL to make filters not have these kinds of security
None of these problems would have occurred if MS had stuck to this
Eivind.
This archive was generated by hypermail 2b27
: Mon Jan 10 2000 - 23:52:26 CST
FREEBSD.ORG)
Date: Sat Jan 08 2000 - 15:27:30 CST
OOE.GV.AT: "2nd attempt: AIX techlibss follows links"
> In my dream world, languages like HTML would be required by their own
> bylaws to explicitly enumerate at least the most blatantly insecure
> features. There *ought* to be a list somewhere of what tags can have
> javascript as a value, maintained by whichever authority is in charge of
> determining such things. Granted this only reduces the (potential)
> vulnerability to a race condition -- between the updating of the
> standard and the updating of site filters -- but it's probably as good
> as we can hope to get.
problems. The clue is that any security filter MUST default to
*D E N Y*, not pass. Any security filter that denies 'bad' stuff and
passes everything else is BROKEN.
trivial basic of secure systems design.
OOE.GV.AT: "2nd attempt: AIX techlibss follows links"