Clarification - IE gopher cross site scripting

From: KF (dotslashat_private)
Date: Sun Jun 16 2002 - 22:17:15 PDT

  • Next message: gobblesat_private: "Recent "rumors""

    Hey guys ... just a little follow up and clarification about this issue. 
    It has been brought to my attention that perhaps this is not a "Cross 
    site scripting" issue but simply "Javascript injection?" (for lack of a 
    better term). My main concern with this issue is simply the fact that by 
    going to a gopher site the javascript is executed. One might argue that 
    any site you view has the potential for javascript to be embeded in the 
    html... so the question becomes are there any scenarios where this could 
    pose an added security threat? I believe .cache files are created from 
    the contents of the gopher directory so if someone has access to add 
    files to a gopher server they may be able to trigger this for the 
    clients that navigate to the site.
    
    Comments?
    
    -KF
    



    This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 20:17:06 PDT