Dear gobblesat_private, First, thanks for findings anyway. I do treat CSS problem you found as a security problem, because if any attack against client could be prevented by server it should. BUT ghc> GOBBLES LABS has tested various versions of Netscape and Galeon. ghc> Blue Boar, we'll have to disagree with you here since we're sure ghc> the number of people using these browsers is much higher than the ghc> total number of sites using the collective mass of scripts ghc> vulnerable to cross-scripting attacks that have made their debut on ghc> Vuln-Dev. With the work of Georgi Guninski (www.guninski.com), ghc> would you really use IE? Netscape and Netscape 4.x is not the same things. Netscape 4 is really weak. It's also possible to have a crossite scripting in Netscape by using nearly undocumented mocha:// reference. For example, mocha:alert('Hello world') works fine in Netscape 4.7x. And I'm not sure that's all about Netscape surprises. Do you wanna check all websites/chats/guestbooks for this issue? :)) Netscape 4.xx has more security problems than any Internet Explorer version. It has: multiple buffer overflows, local files and crossite access (bohttpd bug is really funny), multiple information leakages, etc. So, one who cares about security will never use older Netscape versions. Check Bugtraq archives. -- ~/ZARAZA Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)
This archive was generated by hypermail 2b30 : Tue May 14 2002 - 08:17:29 PDT