Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hotmail security hole - injecting JavaScript using <IMG

From: eivind () FREEBSD ORG (Eivind Eklund)
Date: Sat, 8 Jan 2000 22:27:30 +0100

On Wed, Jan 05, 2000 at 10:59:52PM -0500, Ajax wrote:

In my dream world, languages like HTML would be required by their own
bylaws to explicitly enumerate at least the most blatantly insecure
features.  There *ought* to be a list somewhere of what tags can have
javascript as a value, maintained by whichever authority is in charge of
determining such things.  Granted this only reduces the (potential)
vulnerability to a race condition -- between the updating of the
standard and the updating of site filters -- but it's probably as good
as we can hope to get.


No, it is not.  Why are everybody missing the obvious here?

It is TRIVIAL to make filters not have these kinds of security
problems.  The clue is that any security filter MUST default to
*D E N Y*, not pass.  Any security filter that denies 'bad' stuff and
passes everything else is BROKEN.

None of these problems would have occurred if MS had stuck to this
trivial basic of secure systems design.

Eivind.
Previous By Date Next
Previous By Thread Next

Current thread: