On 10/18/07 10:47, Klaus Darilion wrote:
William Quan schrieb:
Hi all,
I came across a security alert that basically embeds javascript in the
display name of the From to initiate cross-site-scripting (XSS) attacks.
Here is an example:
From: "<script>alert('hack')</script>""user"
<sip:user at domain.com
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c
Thats a cool attack. I fear there will be more smart attacks in the
next time.
cooler and cooler. My opinion is that the client should take care. I do
not see any reason why an application will interpret the display or user
name. It should be printed as it is. Same we can say may happen with the
email, when the text message will be interpreted, but not just
displayed. Would be funny to get compile errors or code executed when
someone just gives a snippet in a message.
AFAIK, unless is need for escape/unescape, those values should be taken
literally. Of course, having something in openser to detect/prevent
would be nice, but just as an add-on. Don't forget that some headers
bring nightmare after changing them -- although, in such cases, the
caller device won't care too much :)
Cheers,
Daniel
klaus
Grammatically , I don't see an issue with this. However, under the right
circumstances this could get ugly.
Do you see value in having openser take a proactive role to detect these
and reject calls? Or is this outside the scope of what a proxy should
be doing (leave it to the UA to sanitize) ?
Looking to get your thoughts-
-will
_______________________________________________
Users mailing list
Users@openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
