> There used to be alot of discussion about XSS, cross-site scripting where > you can insert html into pages that are viewed by many ppl and steal info... > > most of these sites (e.g. a bulletin board) have been updated to protect > this behaviour... > > however, i've noticed that many do not cover headers.. What your talking about seems pretty similar to the "Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service" (http://online.securityfocus.com/archive/82/272965). Given that ... a) It's only a problem where the admin views logs in html. b) Generally script injection can come from any number of sources, html forms, the http request, the request header, an email, a newsgroup post, an identd response/request, infact anywhere you don't trust and most places you do trust. .. then, imo, it's much better to worry about XSS when you're writing the dynamic page that it might appear in, not when receiving the potentially malicous input. There's no harm storing some javascript in a database or whatever, just so long as you filter it before it appears in anyone's browser. Ofc, that doesn't mean that's how people have been sureing up their dynamic sites so, yes, there's undoubtably more vulnerable admin logs out there. - Blazde
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 14:10:38 PDT