At 10:25 AM 4/28/00 +0100, Matt Sergeant wrote:
>On Fri, 28 Apr 2000, Marc Slemko wrote:
>
> > On Thu, 27 Apr 2000, Matt Sergeant wrote:
> >
> > > Unfortunately there's also a browser bug to contend with. They treat \x8b
> > > (I think that's the right code) as < and there's a similar code for
> >
On Fri, 28 Apr 2000, Marc Slemko wrote:
> On Thu, 27 Apr 2000, Matt Sergeant wrote:
>
> > Unfortunately there's also a browser bug to contend with. They treat \x8b
> > (I think that's the right code) as < and there's a similar code for
> > >. Since most web developers are just doing s/ > attacks
On Thu, 27 Apr 2000, Matt Sergeant wrote:
> Unfortunately there's also a browser bug to contend with. They treat \x8b
> (I think that's the right code) as < and there's a similar code for
> >. Since most web developers are just doing s/ attacks based on character sets like this. Sad, but true. Ev
On Fri, 28 Apr 2000, Gerald Richter wrote:
> >
> > Gerald, what about Embperl, does it escape \x8b?
> >
>
> No, there is no html escape for \x8b (and I guess the other one Matt
> mentioned is \0x8d for >) I know, so Embperl will not escape it, but this
> could be simply change by an entry in epc
>
> Gerald, what about Embperl, does it escape \x8b?
>
No, there is no html escape for \x8b (and I guess the other one Matt
mentioned is \0x8d for >) I know, so Embperl will not escape it, but this
could be simply change by an entry in epchar.c. Any suggestion to what this
should be escaped? Then
Matt Sergeant writes:
> Unfortunately there's also a browser bug to contend with. They treat \x8b
> (I think that's the right code) as < and there's a similar code for
> >. Since most web developers are just doing s/ attacks based on character sets like this. Sad, but true. Even our loved
> C
Jeremy Howard wrote:
> I'm interested in providing 'HTML email' support for my users
> (like HotMail, Outlook Express, Eudora 4.0, etc provide), but
> I'm very nervous about security. Essentially, providing HTML
> email involves letting any arbitrary HTML get displayed by Apache...
I've been
Matt Sergeant writes:
> Unfortunately there's also a browser bug to contend with. They treat \x8b
> (I think that's the right code) as < and there's a similar code for
> >. Since most web developers are just doing s/ attacks based on character sets like this. Sad, but true. Even our loved
> C
On Thu, 27 Apr 2000, John M Vinopal wrote:
> I am a bad hacker and watching your line. I see cookies A and B go to you.
> I set cookies A and B in my web browser. I am now you. You can try to
> permute the cookies with IP# (breaks on proxies) or Browser type, but all
> cookie based approaches
I am a bad hacker and watching your line. I see cookies A and B go to you.
I set cookies A and B in my web browser. I am now you. You can try to
permute the cookies with IP# (breaks on proxies) or Browser type, but all
cookie based approaches believe in the value of something sent cleartext.
O
On Thu, 27 Apr 2000, Vivek Khera wrote:
> > "SC" == Steven Champeon <[EMAIL PROTECTED]> writes:
>
> SC> developers and designers) for Webmonkey:
>
> SC> http://hotwired.lycos.com/webmonkey/00/18/index3a.html
>
> SC> If you want to see what sort of stuff the XSS problem opens you up for,
>
On Thu, 27 Apr 2000, Vivek Khera wrote:
> > "SC" == Steven Champeon <[EMAIL PROTECTED]> writes:
>
> SC> developers and designers) for Webmonkey:
>
> SC> http://hotwired.lycos.com/webmonkey/00/18/index3a.html
>
> SC> If you want to see what sort of stuff the XSS problem opens you up for,
>
On Thu, 27 Apr 2000, Vivek Khera wrote:
> Why on earth would you take user input and output it verbatim to your
> pages? Rule number 1 of developing a web site is to never trust the
> user's input values. *Always* validate it against what you're
> expecting.
I guess someone had better tell the
> "SC" == Steven Champeon <[EMAIL PROTECTED]> writes:
SC> developers and designers) for Webmonkey:
SC> http://hotwired.lycos.com/webmonkey/00/18/index3a.html
SC> If you want to see what sort of stuff the XSS problem opens you up for,
SC> just try appending ?tw=alert("aha!"); to the URL abo
On Thu, 27 Apr 2000, Marc Slemko wrote:
> > Can you be more specific about why you say that? If I set an encrypted,
> > short-lived cookie upon validated authentication, why is that any less
> > secure than any of the other approaches you mentioned?
>
> It isn't necessarily any "less secure", but
On Thu, 27 Apr 2000, Nick Tonkin wrote:
> On Thu, 27 Apr 2000, Marc Slemko wrote:
>
> > Cookies are not secure and will never be secure. They may be "good
> > enough", and you may not have much choice, but they are still simply not
> > secure when you put everything together.
>
> Can you be mo
On Thu, 27 Apr 2000, Marc Slemko wrote:
> Cookies are not secure and will never be secure. They may be "good
> enough", and you may not have much choice, but they are still simply not
> secure when you put everything together.
Can you be more specific about why you say that? If I set an encrypt
On Thu, 27 Apr 2000, Jeremy Howard wrote:
> I'm interested in providing 'HTML email' support for my users (like
> HotMail, Outlook Express, Eudora 4.0, etc provide), but I'm very
> nervous about security. Essentially, providing HTML email involves
> letting any arbitrary HTML get displayed by Apa
18 matches
Mail list logo
