Jasper Bryant-Greene wrote:
Moriyoshi Koizumi wrote:
Jasper Bryant-Greene wrote:
I very much doubt there are many applications at all containing code
like this. It is illogical to be decoding html entities from user
input. Therefore I would not call this a "very serious problem
Moriyoshi Koizumi wrote:
Jasper Bryant-Greene wrote:
I very much doubt there are many applications at all containing code
like this. It is illogical to be decoding html entities from user
input. Therefore I would not call this a "very serious problem" and
certainly not a critical
d for what its being
used for. The developer that tries to use it for input
validation/checking, now *there's* the joke!
--
Jasper Bryant-Greene
General Manager
Album Limited
http://www.album.co.nz/ 0800 4 ALBUM
[EMAIL PROTECTED]
Marcos Agüero wrote:
Jasper Bryant-Greene escribió:
Seriously though, it wouldn't be that hard to forward the POST on to the
real bank website, would it?
I think so, but would be very easy to detect. Logs would show lots of
diferent user logging in from the same IP Address.
Phishing
the correct details ;)
Seriously though, it wouldn't be that hard to forward the POST on to the
real bank website, would it?
--
Jasper Bryant-Greene
General Manager
Album Limited
http://www.album.co.nz/ 0800 4 ALBUM
[EMAIL PROTECTED] 021 708 334
___
Tõnu Samuel wrote:
Jasper Bryant-Greene wrote:
My point is, can you think of a logical reason why html_entity_decode
would be run on user input? I'm sure some idiot is doing it (and
therefore this is a security issue, though not exactly critical), but
I don't think I can think o
My point is, can you think of a logical reason why html_entity_decode
would be run on user input? I'm sure some idiot is doing it (and
therefore this is a security issue, though not exactly critical), but I
don't think I can think of a reason why it would be done.
Why would you want to decode
Tõnu Samuel wrote:
Nice! I was really nervous already as I got bombed with e-mails and I
really did not knew much more than was discovered. Meanwhile I am bit
disappointed that we had nearly month such a bug in wild and software
distributors like SuSE in my case did not published patches. I
[EMAIL PROTECTED] wrote:
On Mon, 27 Mar 2006 20:43:41 CST, s89df987 s9f87s987f said:
no work around is needed, there has been a solution all along..
one word.. firefox
It may be "one word" to you, but it can be a very expensive solution
for a company.
[snip]
Somebody has to handle all the