[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Yet another Disturbing type of Exploit



Hi Chris;

I have been following this issue.  I can tell you that we are not
looking at allowing users to add their own Javascript to pages.  This
is just one example of what user-defined Javascript can do.  In
general, we do not think that it is a good security practice to allow
users of the application to run arbitrary code in other peoples' web
browsers.

This looks like a subtype fo XSS attacks and we take these seriously.

Best Wishes,
Chris Travers

On 4/19/07, Chris Bennett <..hidden..> wrote:
http://www.ngssoftware.com/research/papers/InterProtocolExploitation.pdf

Summary: A way of exploiting web browsers located within the security
perimeter (i.e access to internal network)
    using something like javascript from an external web page to launch
a buffer overflow attack on internal network.
Seems like problems like this could have have serious implications
against many applications that are badly written but thought safe since
not exposed to Internet.
Obviously LSMB would not be susceptible to buffer overflows, but every
day I see more and more seriously negative stuff about javascript.
My understanding is that LSMB development is going to add a lot of
javascript based web 2.0/ajax type stuff, which IS wonderful to use.
Are there plans for the new interfaces to "degrade gracefully" without
loss of function (some loss of convenience couldn't be avoided), if a
person found that javascript HAD to be turned off and kept off because
of non-LSMB security issues?

Chris Bennett


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Ledger-smb-devel mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel