On 10/18/07 10:47, Klaus Darilion wrote:
William Quan schrieb:
Hi all, I came across a security alert that basically embeds javascript in the display name of the From to initiate cross-site-scripting (XSS) attacks. Here is an example:
From: "<script>alert('hack')</script>""user" <sip:user at domain.com https://lists.grok.org.uk/mailman/listinfo/full-disclosure>;tag=002a000c
Thats a cool attack. I fear there will be more smart attacks in the next time.
cooler and cooler. My opinion is that the client should take care. I do not see any reason why an application will interpret the display or user name. It should be printed as it is. Same we can say may happen with the email, when the text message will be interpreted, but not just displayed. Would be funny to get compile errors or code executed when someone just gives a snippet in a message.
AFAIK, unless is need for escape/unescape, those values should be taken literally. Of course, having something in openser to detect/prevent would be nice, but just as an add-on. Don't forget that some headers bring nightmare after changing them -- although, in such cases, the caller device won't care too much :)
Cheers, Daniel
klaus
Grammatically , I don't see an issue with this. However, under the right circumstances this could get ugly. Do you see value in having openser take a proactive role to detect these and reject calls? Or is this outside the scope of what a proxy should be doing (leave it to the UA to sanitize) ?
Looking to get your thoughts- -will
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users