lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40F6AC62.6020707@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: Exploits in websites due to buggy input validation
 where mozilla is at fault as well as the website.

Nick FitzGerald wrote:

>
>Nope -- _VERY_ bad idea.
>
>  
>
I'm not sure I'd call it a *very* bad idea... it's better than silently 
finishing incomplete tags. 

>Idiot users want to blow both their feet off.
>
>Asking them "do you want a chance to blow your feet off?" only slows 
>the inevitable slightly, never prevents it.
>
>  
>
Well, yeah, and that's always going to be the case no matter what you 
do.  Let's at least make it so that non-idiot users don't get their feet 
blown off regardless.

>The correct solution to all such problems is simply to reject the 
>content as malformed.  And guess what will happen when you do that?  
>Several really crappy web design products will disappear because the 
>folk using them will drop them because no-one can see their pages _and_ 
>the rest will suddenly become very inetrested in producing properly 
>compliant content, as they should have been from the outset.
>  
>
Yeah - that's probably a better idea.  It's garbage data if it's 
malformed.  Dropping it is far better.

             -Barry






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ