Re: Cross-site scripting

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 30 Oct 2000 21:13:31 +0100

Robert Collins wrote:
>
> Looks great to me...

Good.

One thing remains: I haven't looked at all at wais.c.

gopher.c was as sensitive to these issues as the error pages due to
input data being reflected in the Gopher replies. So any site running
both a web and a gopher server on the same address could be fooled. The
"good" news is that my browser had similar issues when talking directly
to the site without a proxy..

FTP had issues if the attacker could create directory
structures/filenames or welcome messages on the FTP server. The "good"
news apply here too..

So I presume wais.c also has issues, but due to lack of experience from
using that protocol I have not bothered with it, and since it is less
significantly less widespread use than even gopher is I think it is only
a minor issue.

/Henrik
Received on Mon Oct 30 2000 - 13:14:24 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST