lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 26 Nov 2005 01:00:30 +0100 (CET)
From: Will Wesley <willwesleyccna@...oo.de>
To: Steven Champeon <schampeo@...keth.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: XSS on Yahoo Mail



--- Steven Champeon <schampeo@...keth.com> schrieb:
> I think you missed the point. He's actually just
> inserting ill-formed
> markup into the document flow and the browsers do
> react in the ways he
> described to such markup. As such, the problem
> exists. Calling out moron
> Web designers doesn't help much here. In HTML 3.2
> and 4.0, for example,
> an open TD tag is required, so when non-markup text
> follows a start TR
> tag, the browser doesn't know how to deal with that
> text and places it
> out of the table's document flow, which has the
> result of throwing it
> further up the page, outside /and preceding/ the
> table in which it was
> found. This is a well-known problem to Web designers
> (who used to use it
> to troubleshoot complex table-based page layouts),
> but it doesn't
> mitigate its importance to those concerned with
> preventing XSS.
> 
> Steve

I didn't miss the point. He's actually just inserting
malformed data that the browser doesn't know what to
do with. Isn't that what I said? I only intended to
point out what the problem really was. It's not
injecting scripts to run under Yahoo's priveledges, no
information is passed to a third party, and either
some very simple social engineering or a real XSS vuln
would need to be employed to pass any information.
Calling out moron web devers is useless, I agree. But
it's just as pointless as pointing out that
incorrectly using tags is a way of troubleshooting. I
had a point with the original statement, but it
escapes me.

Anyway, a solution is really quite simple. Allow users
to disable HTML in their email, or why not by default?

- Will Wesley, BSCS
http://wieso.blogdrive.com



	

	
		
___________________________________________________________ 
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ