At 16:26 18/10/2007, Daniel-Constantin Mierla wrote:
>On 10/18/07 10:47, Klaus Darilion wrote: >> >> >>William Quan schrieb: >>>Hi all, >>>I came across a security alert that basically embeds javascript in the >>>display name of the From to initiate cross-site-scripting (XSS) attacks. >>>Here is an example: >>> >>>From: "<script>alert('hack')</script>""user" >>><sip:user at domain.com >>><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c >> >>Thats a cool attack. I fear there will be more smart attacks in the next time. >cooler and cooler. My opinion is that the client should take care. I do not >see any reason why an application will interpret the display or user name. 'cos your phone has a webpage with received calls. >It should be printed as it is. Same we can say may happen with the email, when >the text message will be interpreted, but not just displayed. Would be funny >to get compile errors or code executed when someone just gives a snippet in a >message. > >AFAIK, unless is need for escape/unescape, those values should be taken >literally. Of course, having something in openser to detect/prevent would be >nice, but just as an add-on. Don't forget that some headers bring nightmare >after changing them -- although, in such cases, the caller device won't care >too much :) possibly nice-to-have, but wasted effort IMO, see the previous email. something generally app-unaware ('cos who knows what the actual app is) can't filter app, and attempts to do so always lag behind the attackers or break the apps. -jiri -- Jiri Kuthan http://iptel.org/~jiri/ _______________________________________________ Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users