- Original Message -
From: "Thierry Zoller" <[EMAIL PROTECTED]>
Again Geo, NOBODY has said that this is a vulnerability OF IE7 ITSELF we
said
the handler that IE7 installs is broken.
I'm not disagreeing with that statement. I'm saying this input should never
get that far.
Geo.
tem. IE7 handles mailto links in untrusted web pages. Put the mailto link
in an untrusted html page and make it work with IE7.
Geo.
ample, an ftp server has to sanitize filenames to prevent useage of
streams on NTFS, you don't blame the filesystem that the input gets passed
to, it's the job of the ftp server to do the sanitizing of untrusted input.
Geo.
plication
that is responsible for mitigation of attacks via those exposed interfaces.
Geo.
e levels
and focus attention on the problem. Perhaps a table of popular PHP based
applications and a count column of the number of exploits each has had to
patch so folks can make an informed decision when looking for php based web
apps.
Geo.
e going to be using it so it
should take that into account and allow the machine administrator to at
least be locked down at the start so he has to enable the features and only
those features the web developers require. It's the only way to make a
powerful web language and still maintain some semblance of security.
Geo.
and things locked instead of open.
Is php secure by default when it's installed on a server?
Geo.
ebsites are (suppose half of them are stores that
process credit cards).
Geo.
require patching or the
apps written for them require patching, how often each are being used to
exploit servers, etc.
We need some sort of a rating system that allows the users to see the
difference and to understand that more doesn't always mean better.
Geo.
he public so that
when selecting a web host they know that one who supports PHP may be putting
them at extreme risk compared to one who is a bit more security conscious?
As a threat to the internet in whole, don't you think these public php
enabled web servers pose an high risk?
Geo.
n't know,
the hackers figure this stuff out in seconds. Just mark this as a stupid
idea and add a popup before it bypasses values in the hosts file so the user
is allowed to permit or deny it. Had they done that I would have defended
their actions, it's when they mess with a users security without asking that
I find it inappropriate behavior for a company like MS.
Geo.
d fixes imo. The problem
is a trojan modifying hosts then fix the problem instead of ignoring hosts.
Provide a locking mechanism for hosts, remove the trojan, there are a
hundred ways to fix this that are far more proper ways to do things than
this.
Geo.
ything? Yeah, I
think they can ignore it until someone decides to target them.
Geo.
> Geo, the default is bad. However, it is not a Microsoft issue, this is a
> spoofing issue. Many like to bash Microsoft, some hate them. Myself I am
> known as a Microsoft critic at times.
Please don't misunderstand me, I'm not bashing MS or even being a critic
(although I
ns servers until they change the default there as well.
Geo.
ing those routers should be smart
enough to be able to figure out how to disable it so enabled by default
really should not be a change that is an issue for router manufacturers.
Geo.
t; server in ISPs/Telcos. All this requires is a moderate level of
> competence in the person who has designed the service.
Really? Ok educate me, how do you do this with Windows 2000 running MS dns?
(telling people to use another server is not acceptable)
Geo.
the
same techniques they used for smtp?
Granted a port 53 inbound block would make more sense for the current
example but just like bots started running their own SMTP engines I see the
dns flood model changing to fit the new landscape.
Geo.
like that is dangerous? Especially
dangerous when it's DNS which runs virtually every function on the internet?
It's not a conspiracy theory, it's fact, if you create a control like that
someone is going to want to control it. I suggest only that we consider this
along with everything else.
Geo.
inate open recursive
servers and you have just created a really powerful control mechanism for
entities to control large sections of the internet since folks from those
sections won't be able to use anyone else's DNS servers or even run their
own (much like port 25 blocking limits who can run a mail server today). He
who controls dns controls the network.
Geo.
't know everything there is to know takes nothing away
from the project or the people working on it. In fact it shows you know more
than the people who refuse to recognize the reality.
Geo.
st track
down the sources of a distributed flood at least to the provider level if
not to the exact IP.
Geo.
packets and you have received 200K
of traffic. That's the amplification, one small udp packet, one large text
record in return.
Note, I don't have to use your local servers, but this way it makes it more fun
to troubleshoot because it looks like you are the cause of your own flooding..
Geo.
Just as a followup to this. In NTmail 5 (which was fresh out of beta this
month) this does fix things and turns VRFY off, however in NTmail 4.3c it is
broken and does nothing. Johns from gordano confirmed this to me a short
while ago.
Geo.
> -Original Message-
> From: Bugtra
24 matches
Mail list logo