lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <41EBB346.8649.1C1FD080@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability Marc Haber wrote: > > iDEFENSE Security Advisory 01.14.05 > > www.idefense.com/application/poi/display?id=183&type=vulnerabilities > > That web page is only viewable with JavaScript enabled, and is thus > unviewable with a browser configured to minimize the surfing risk. For > a security-related organization, I consider this poor design. I've tried that line against them several times in the past. It seems they just don't care, so I take that to mean iDEFENSE is _NOT_ "a security-related organization". Perhaps the purpose of the script gives us a clue as to the true nature of iDEFENSE's business? There are two scripts in that page (in fact, last I checked, these scripts govern access to most pages on the iDEFENSE site). The first is an external script called thus: [script type="text/javascript" src="/js/flashdetect.js"][/script] http://www.idefense.com/js/flashdetect.js sets a bunch of variables to "false", including "isFlash5" and "isFlashMX" then proceeds to determine either of the above should be set to "true". The second script is page-specific because it includes content-specific URL redirections using JavaScript's "location" function (reformatted to a more Email-friendly indentation): [script language="JavaScript" type="text/javascript"] //[!-- if (isFlashMX) { location = '/application/poi/display?id=183&type=vulnerabilities&flashstatus=true'; } else { location = '/application/poi/display?id=183&type=vulnerabilities&flashstatus=false'; } //--] [/script] So, we can "fix" this dependence on scripting by using your preferred choice of these URLs: http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities&flashstatus=false http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities&flashstatus=true Clearly the purpose of these scripts is to direct us to a "Flash- enabled" version of the page if our browsers are considered to be "Flash enough" to handle the required Flash version. So what do the fancy, Flash versions of these pages offer that the non-Flash versions don't? An egregiously animated background graphic for the "Power of Intelligence" banner and a typically anti-browser-navigation methods "Flash" menu. Some agency or "celebrity designer" was probably badly overpaid for this excess of design indulgence over content accessibility, so it seems that marketing is a greater objective here than than information provision and access... Microsoft retroactively (i.e. in response to complaints) fixed its security bulletins last time they were re-designed by a gnat who could not only not comprehend that some folk willingly browse the web with scripting and ActiveX disabled, but was obviously given a design briefing, written by someone at the supposedly now entirely security- focussed Redmond giant, that did not specify suitable usability guidelines for the pages in question for varying levels of browser security setting. Sophos fixed its recently re-designed into scripting hell virus description web pages following user complaints. Shall we see if iDEFENSE can actually use "the power of intelligence" it claims to be able to provide its customers and produce security advisory pages that are actually functionally useful to its most security-conscious web visitors, rather than (perhaps) being the most visually appealing eye-candy for the security-ignorant it hopes to entice into being its new customers? Regards, Nick FitzGerald
Powered by blists - more mailing lists