18 Oct
2007
18 Oct
'07
9:47 a.m.
William Quan schrieb:
Hi all,
I came across a security alert that basically embeds javascript in the
display name of the From to initiate cross-site-scripting (XSS) attacks.
Here is an example:
From: "<script>alert('hack')</script>""user"
<sip:user at domain.com
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c
Thats a cool attack. I fear there will be more smart attacks in the next
time.
klaus
Grammatically , I don't see an issue with this.
However, under the right
circumstances this could get ugly.
Do you see value in having openser take a proactive role to detect these
and reject calls? Or is this outside the scope of what a proxy should
be doing (leave it to the UA to sanitize) ?
Looking to get your thoughts-
-will
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users