lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6170a5450510251500i6d9d4952xf5968ebefda8b8f@mail.gmail.com>
Date: Tue, 25 Oct 2005 17:00:32 -0500
From: Tatercrispies <tatercrispies@...il.com>
To: Paul Laudanski <zx@...tlecops.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	webappsec@...urityfocus.com
Subject: Re: phpBB 2.0.17 (and other BB systems as well)
	Cookie disclosure exploit.

On 10/25/05, Paul Laudanski <zx@...tlecops.com> wrote:
>
>
> If sites want to stay online that make use of dynamic content to some
> extent the onus is on them to do proper input validation. There are PHP
> functions which permit for checking. But again, they work well when
> checking local images.
>

Both Opera and Firefox respect the content-type HTTP header. IE stands alone
as the major browser that attempts to second-guess things and render an
image file as HTML. I believe this is firmly an error in the browser. While
we could try to mitigate the issue at the web application level, but given
how enormously wide-spread this problem is, in my opinion, it seems more
reasonable and direct to fix it at the source of the problem.

What's to say that these validation functions work well enough. Are there
pure PHP/ASP scripts can can accomplish this task for major image types. I
mean scripts that run without the use of external modules. I would love to
see them. By what criteria does Explorer decide that it's not going to
render an image as an image?

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ