18 Oct
2007
18 Oct
'07
12:11 a.m.
At 18:13 17/10/2007, William Quan wrote:
Hi all,
I came across a security alert that basically embeds javascript in the
display name of the From to initiate cross-site-scripting (XSS) attacks.
Here is an example:
From: "<script>alert('hack')</script>""user"
<sip:user at domain.com
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c
Grammatically , I don't see an issue with this. However, under the right
circumstances this could get ugly.
Do you see value in having openser take a proactive role to detect these
and reject calls? Or is this outside the scope of what a proxy should
be doing (leave it to the UA to sanitize) ?
We have been thinking hard of this in the SER community. My 2 cents are that
sanitizing in the proxy is of limited impact. The trouble is that it is not
just JavaScript, it can be literally any application in any language, which
is tunneled some crafted data through SIP. The SIP proxy can be tought to
detect JavaScript but who knows what is going to come next. Thus I think
that JAva-Script enabled apps should test SER-produced data for Java-script
data, and XYZ-apps should test SER-produced data for XYZ-script data.
As an example, the latest serweb version, which uses JavaScript, is resistant
against such JavaScript attacks.
-jiri
Looking to get your thoughts-
-will
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
--
Jiri Kuthan http://iptel.org/~jiri/