Bugtraq mailing list archives
Re: Hotmail security hole - injecting JavaScript using <IMG
From: eivind () FREEBSD ORG (Eivind Eklund)
Date: Sat, 8 Jan 2000 22:27:30 +0100
On Wed, Jan 05, 2000 at 10:59:52PM -0500, Ajax wrote:
In my dream world, languages like HTML would be required by their own bylaws to explicitly enumerate at least the most blatantly insecure features. There *ought* to be a list somewhere of what tags can have javascript as a value, maintained by whichever authority is in charge of determining such things. Granted this only reduces the (potential) vulnerability to a race condition -- between the updating of the standard and the updating of site filters -- but it's probably as good as we can hope to get.
No, it is not. Why are everybody missing the obvious here? It is TRIVIAL to make filters not have these kinds of security problems. The clue is that any security filter MUST default to *D E N Y*, not pass. Any security filter that denies 'bad' stuff and passes everything else is BROKEN. None of these problems would have occurred if MS had stuck to this trivial basic of secure systems design. Eivind.
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMG Kevin Hecht (Jan 03)
- Re: Hotmail security hole - injecting JavaScript using <IMG Henrik Nordstrom (Jan 04)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Andrew Pimlott (Jan 07)
- Re: Hotmail security hole - injecting JavaScript using <IMG Eivind Eklund (Jan 08)
- IIS still revealing paths for web directories Vanja Hrustic (Jan 10)
- Re: IIS still revealing paths for web directories Vladimir Dubrovin (Jan 12)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
- Altavista Free Internet Security Plex Inphiniti (Jan 14)
- Re: Altavista Free Internet Security Bill (Jan 17)
- Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 19)
- Re: Trusted process on an untrusted machine? Mike Frantzen (Jan 19)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 20)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Trusted process on an untrusted machine? Tim Newsham (Jan 19)
- Re: Hotmail security hole - injecting JavaScript using <IMG Henrik Nordstrom (Jan 04)