Re: recent 'cross site scripting' CERT advisory

From: Gregory Steuck (gregat_private)
Date: Tue Feb 08 2000 - 23:52:07 PST

Next message: Matthew Firth: "Re: Novell BorderManager 3.5 Remote Slow Death"

Previous message: Michael Bryan: "Re: Evil Cookies."
Maybe in reply to: Tim Hollebeek: "recent 'cross site scripting' CERT advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>> "Henri" == Henri Torgemane <metal_hurlantat_private> writes:

    Henri> But if it is done right (i.e.: you're explicitely specifying
    Henri> which files don't need a REFERRER check, rather than trying
    Henri> to keep a list of every script that needs it), I believe it
    Henri> can provide instant CSS protection without having to audit
    Henri> all these server scripts right away.

While we are at it, let's not forget that Referer is a privacy breach on
it own. And those who use junkbuster never send referer headers.  So be
careful when recommending referer as a remedy, it might hit security
conscious types.

Bye
Greg

P.S. Yeah, one can configure junkbuster to send referer header to certain
sites but it's a hassle.

Next message: Matthew Firth: "Re: Novell BorderManager 3.5 Remote Slow Death"
Previous message: Michael Bryan: "Re: Evil Cookies."
Maybe in reply to: Tim Hollebeek: "recent 'cross site scripting' CERT advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:00 PDT