| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 08 Jan 2007 10:32:08 -1000 From: Jim Manico <jim@...ico.net> To: "M.B.Jr." <marcio.barbado@...il.com> Cc: Jean-Jacques Halans <halans@...il.com>, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, "pdp (architect)" <pdp.gnucitizen@...glemail.com>, Web Security <websecurity@...appsec.org> Subject: Re: [Full-disclosure] [WEB SECURITY] Universal XSS with PDF files: highly dangerous > this is client-side stuff. Yes, but server-side changes can defend against this vulnerability. For my Java/J2EE apps, I took OWASP's suggestion at : http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE And all is well in my world. - Jim PS: And you are right of course about CSRF :) M.B.Jr. wrote: > On 1/3/07, Jim Manico <jim@...ico.net> wrote: >> I'm most worried about the CSRF vector. > > how come? > > this is client-side stuff. > -- Best Regards, Jim Manico GIAC GSEC Professional, Sun Certified Java Programmer jim@...ico.net 808.652.3805
Powered by blists - more mailing lists