18 Oct
2007
18 Oct
'07
12:27 a.m.
William Quan wrote:
Hi all,
I came across a security alert that basically embeds javascript in the
display name of the From to initiate cross-site-scripting (XSS) attacks.
Here is an example:
From: "<script>alert('hack')</script>""user"
<sip:user at domain.com
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c
Grammatically , I don't see an issue with this. However, under the right
circumstances this could get ugly.
Do you see value in having openser take a proactive role to detect these
and reject calls? Or is this outside the scope of what a proxy should
be doing (leave it to the UA to sanitize) ?
I think it should be left to the UA. It would be very difficult to come
up with good sanitizing rules, and they would get out of data very
quickly. Maybe an openser sanitizer module that would download SIP
attack signatures would make sense.
/Christian
Looking to get your thoughts-
-will
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users