At 16:26 18/10/2007, Daniel-Constantin Mierla wrote:
On 10/18/07 10:47, Klaus Darilion wrote:
William Quan schrieb:
Hi all, I came across a security alert that basically embeds javascript in the display name of the From to initiate cross-site-scripting (XSS) attacks. Here is an example:
From: "<script>alert('hack')</script>""user" <sip:user at domain.com https://lists.grok.org.uk/mailman/listinfo/full-disclosure>;tag=002a000c
Thats a cool attack. I fear there will be more smart attacks in the next time.
cooler and cooler. My opinion is that the client should take care. I do not see any reason why an application will interpret the display or user name.
'cos your phone has a webpage with received calls.
It should be printed as it is. Same we can say may happen with the email, when the text message will be interpreted, but not just displayed. Would be funny to get compile errors or code executed when someone just gives a snippet in a message.
AFAIK, unless is need for escape/unescape, those values should be taken literally. Of course, having something in openser to detect/prevent would be nice, but just as an add-on. Don't forget that some headers bring nightmare after changing them -- although, in such cases, the caller device won't care too much :)
possibly nice-to-have, but wasted effort IMO, see the previous email. something generally app-unaware ('cos who knows what the actual app is) can't filter app, and attempts to do so always lag behind the attackers or break the apps.
-jiri
-- Jiri Kuthan http://iptel.org/~jiri/