Comments on: Security Hole? http://erik.eae.net/archives/2004/08/06/17.15.09/ The Weblog of Erik Arvidsson Sat, 05 Jul 2008 16:34:47 +0000 http://wordpress.org/?v=2.5.1 By: foO http://erik.eae.net/archives/2004/08/06/17.15.09/#comment-1049 foO Thu, 01 Jan 1970 01:00:00 +0000 http://erik.eae.net/wp/?p=96#comment-1049 that's pretty scary.... hadn't reallly thought of that *blink* least you can still simply unsubscribe from an RSS feed should you find that it's doing something like that inside the pulled feeds... probably have to create a damn "Black List" of such feeds at some point in the future... sad, really. damn spammers. that’s pretty scary…. hadn’t reallly thought of that *blink*

least you can still simply unsubscribe from an RSS feed should you find that it’s doing something like that inside the pulled feeds… probably have to create a damn “Black List” of such feeds at some point in the future… sad, really.

damn spammers.

]]> By: boombastic http://erik.eae.net/archives/2004/08/06/17.15.09/#comment-1050 boombastic Thu, 01 Jan 1970 01:00:00 +0000 http://erik.eae.net/wp/?p=96#comment-1050 Please confirm if i get this right; if the feed's html contains a script then it exposes a security issue because it might retrieve local files through file:\ protocol and post to remote through XMLHTTP or simple form POST? Why not after parsing the feed we filter it, since it is a string at the end of the day(i.e. string:replace)? Today is my "questioning" day :) Please confirm if i get this right; if the feed’s html contains a script then it exposes a security issue because it might retrieve local files through file:\ protocol and post to remote through XMLHTTP or simple form POST? Why not after parsing the feed we filter it, since it is a string at the end of the day(i.e. string:replace)? Today is my “questioning” day :)

]]> By: Erik Arvidsson http://erik.eae.net/archives/2004/08/06/17.15.09/#comment-1051 Erik Arvidsson Thu, 01 Jan 1970 01:00:00 +0000 http://erik.eae.net/wp/?p=96#comment-1051 Yup, filtering the HTML would work but it is a bit tricky. There are tons of ways to inject code into a browser rendering engine these days. Yup, filtering the HTML would work but it is a bit tricky. There are tons of ways to inject code into a browser rendering engine these days.

]]> By: boombastic http://erik.eae.net/archives/2004/08/06/17.15.09/#comment-1052 boombastic Thu, 01 Jan 1970 01:00:00 +0000 http://erik.eae.net/wp/?p=96#comment-1052 Do you believe filtering Do you believe filtering

]]> By: boombastic http://erik.eae.net/archives/2004/08/06/17.15.09/#comment-1053 boombastic Thu, 01 Jan 1970 01:00:00 +0000 http://erik.eae.net/wp/?p=96#comment-1053 oh the comments section are tag sensitive. Correction to first line; Do you believe filtering script and object tags wont be enough? onload handlers can also be taken into account. Just checking if there is any other evil way that we should be aware of. oh the comments section are tag sensitive. Correction to first line;
Do you believe filtering script and object tags wont be enough? onload handlers can also be taken into account. Just checking if there is any other evil way that we should be aware of.

]]> By: tjf http://erik.eae.net/archives/2004/08/06/17.15.09/#comment-1054 tjf Thu, 01 Jan 1970 01:00:00 +0000 http://erik.eae.net/wp/?p=96#comment-1054 boombastic: If I remember correctly, there is purposefully no way for a script to POST an arbitary file of its own choice, specifically for that reason. boombastic: If I remember correctly, there is purposefully no way for a script to POST an arbitary file of its own choice, specifically for that reason.

]]> By: boombastic http://erik.eae.net/archives/2004/08/06/17.15.09/#comment-1055 boombastic Thu, 01 Jan 1970 01:00:00 +0000 http://erik.eae.net/wp/?p=96#comment-1055 tjf: that makes sense. Because file selector can do amazing things if it is the case. I never read or tried to play evil on these stuff, more like wtf should we be aware of if the application is running under IE or within HTA (or even on desktop through wininet). Perhaps someone can bring a spotlight on this. tjf: that makes sense. Because file selector can do amazing things if it is the case. I never read or tried to play evil on these stuff, more like wtf should we be aware of if the application is running under IE or within HTA (or even on desktop through wininet). Perhaps someone can bring a spotlight on this.

]]> By: Erik Arvidsson http://erik.eae.net/archives/2004/08/06/17.15.09/#comment-1056 Erik Arvidsson Thu, 01 Jan 1970 01:00:00 +0000 http://erik.eae.net/wp/?p=96#comment-1056 tjf: Well, if your RSS reader is using the file system and has scripting enabled a page can read any known file and send that data to some server on the internet. In Mozilla, using the file: uri scheme it can point to / (or c:\) and read the names of the files and folders and in this way find a specific file. tjf: Well, if your RSS reader is using the file system and has scripting enabled a page can read any known file and send that data to some server on the internet. In Mozilla, using the file: uri scheme it can point to / (or c:\) and read the names of the files and folders and in this way find a specific file.

]]>