From jiri@iptel.org Fri Oct 19 10:11:57 2007 From: Jiri Kuthan To: sr-users@lists.kamailio.org Subject: Re: [OpenSER-Users] sanitizing sip requests Date: Fri, 19 Oct 2007 10:20:53 +0200 Message-ID: <20071019082056.3096D18111E7@mail.iptel.org> In-Reply-To: <47176D33.3000801@voice-system.ro> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1154647025==" --===============1154647025== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable At 16:26 18/10/2007, Daniel-Constantin Mierla wrote: >On 10/18/07 10:47, Klaus Darilion wrote: >> >> >>William Quan schrieb: >>>Hi all, >>>I came across a security alert that basically embeds javascript in the >>>display name of the From to initiate cross-site-scripting (XSS) attacks. >>>Here is an example: >>> >>>From: """user" >>>>;tag=3D002a000c=20 >> >>Thats a cool attack. I fear there will be more smart attacks in the next ti= me. >cooler and cooler. My opinion is that the client should take care. I do not = see any reason why an application will interpret the display or user name.=20 'cos your phone has a webpage with received calls. >It should be printed as it is. Same we can say may happen with the email, wh= en the text message will be interpreted, but not just displayed. Would be fun= ny to get compile errors or code executed when someone just gives a snippet i= n a message. > >AFAIK, unless is need for escape/unescape, those values should be taken lite= rally. Of course, having something in openser to detect/prevent would be nice= , but just as an add-on. Don't forget that some headers bring nightmare after= changing them -- although, in such cases, the caller device won't care too m= uch :) possibly nice-to-have, but wasted effort IMO, see the previous email. somethi= ng generally app-unaware ('cos who knows what the actual app is) can't filter app, and att= empts to do so always lag behind the attackers or break the apps. -jiri -- Jiri Kuthan http://iptel.org/~jiri/ --===============1154647025==--