| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dd5f5ac90601030421q526ddd62p@mail.gmail.com> Date: Tue Jan 3 12:21:30 2006 From: thomas.pollet at gmail.com (Thomas Pollet) Subject: Open Xchange XSS Open Xchange webmail (<=0.8.1-6) suffers from xss. http://mirror.open-xchange.org/ox/EN/community/ Vendor response: For the commercial OX you don't need this as there exists additional security options where you will not able to use this session. It's a general problem for all web based mailers and some of them try to filter such scripts, some of them do not and show a warning instead that the document may contains "dangerous content". But you will never be able to filter all possible scriptings. Displaying HTML content is ALWAYS an unsecure option, so it is recommended to disable "Inline HTML" at the WebMail options. Anyway, I will check if I can make some basic filter to get most of such tags. Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060103/a02c80d2/attachment.html
Powered by blists - more mailing lists