At 16:26 18/10/2007, Daniel-Constantin Mierla wrote:

>On 10/18/07 10:47, Klaus Darilion wrote:
>>
>>
>>William Quan schrieb:
>>>Hi all,
>>>I came across a security alert that basically embeds javascript in the
>>>display name of the From to initiate cross-site-scripting (XSS) attacks.
>>>Here is an example:
>>>
>>>From: "<script>alert('hack')</script>""user"
>>><sip:user at domain.com 
>>><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c 
>>
>>Thats a cool attack. I fear there will be more smart attacks in the next time.
>cooler and cooler. My opinion is that the client should take care. I do not 
>see any reason why an application will interpret the display or user name. 

'cos your phone has a webpage with received calls.

>It should be printed as it is. Same we can say may happen with the email, when 
>the text message will be interpreted, but not just displayed. Would be funny 
>to get compile errors or code executed when someone just gives a snippet in a 
>message.
>
>AFAIK, unless is need for escape/unescape, those values should be taken 
>literally. Of course, having something in openser to detect/prevent would be 
>nice, but just as an add-on. Don't forget that some headers bring nightmare 
>after changing them -- although, in such cases, the caller device won't care 
>too much :)

possibly nice-to-have, but wasted effort IMO, see the previous email. something 
generally
app-unaware ('cos who knows what the actual app is) can't filter app, and 
attempts to do
so always lag behind the attackers or break the apps.

-jiri



--
Jiri Kuthan            http://iptel.org/~jiri/


_______________________________________________
Users mailing list
Users@openser.org
http://openser.org/cgi-bin/mailman/listinfo/users

Reply via email to