At 16:26 18/10/2007, Daniel-Constantin Mierla wrote:
>On 10/18/07 10:47, Klaus Darilion wrote:
>>
>>
>>William Quan schrieb:
>>>Hi all,
>>>I came across a security alert that basically embeds javascript in the
>>>display name of the From to initiate cross-site-scripting (XSS) attacks.
>>>Here is an example:
>>>
>>>From: "<script>alert('hack')</script>""user"
>>><sip:user at domain.com
>>><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c
>>
>>Thats a cool attack. I fear there will be more smart attacks in the next time.
>cooler and cooler. My opinion is that the client should take care. I do not
>see any reason why an application will interpret the display or user name.
'cos your phone has a webpage with received calls.
>It should be printed as it is. Same we can say may happen with the email, when
>the text message will be interpreted, but not just displayed. Would be funny
>to get compile errors or code executed when someone just gives a snippet in a
>message.
>
>AFAIK, unless is need for escape/unescape, those values should be taken
>literally. Of course, having something in openser to detect/prevent would be
>nice, but just as an add-on. Don't forget that some headers bring nightmare
>after changing them -- although, in such cases, the caller device won't care
>too much :)
possibly nice-to-have, but wasted effort IMO, see the previous email. something
generally
app-unaware ('cos who knows what the actual app is) can't filter app, and
attempts to do
so always lag behind the attackers or break the apps.
-jiri
--
Jiri Kuthan http://iptel.org/~jiri/
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
