Other flags may be vulnerable as well. Microsoft has a thing for unicode.
* establishing of arbitrary phone calls
>From RFC 3966 (http://www.faqs.org/rfcs/rfc3966.html):
11. Security Considerations
The security considerations parallel those for the mailto URL
[RFC2368].
Web clients and similar tools MUST NOT use the "tel" URI to place
telephone cal
Just a correction, I meant to say tel: not callto:.
Thanks.
Not promoting this bug in any way in particular, but browsers should be stable
enough to take input and process it with getting 'blown' away. IMHO just
because it 'crashes' doesn't mean its an exploit; just because it there is no
fault doesn't make it not an issue.
I'm glad you finally seemed to make the 'bug' fixing team of Debian aware of
security issues. I'm just glad I personally haven't seem this much scrutiny
from the security team or my faith in Debian maintainers in all areas would
significantly drop even more. Nice find.
[EMAIL PROTECTED]:~$ clamscan -V
ClamAV 0.94.1/8713/Tue Dec 2 14:59:31 2008
>From http://securitytracker.com/alerts/2008/Dec/1021296.html:
Version(s): prior to 0.94.2
Description: A vulnerability was reported in Clam AntiVirus. A remote user can
cause denial of service conditions on the ta
That is why it is called a remote command execution via a CSRF vulnerability.
Your code should be AT LEAST checking referrers (weak and obscure but helpful)
or implementing many of the other protections that are available.
See http://www.owasp.org/index.php/Cross-Site_Request_Forgery for more
