Clarification - IE gopher cross site scripting

From: KF (dotslashat_private)
Date: Sun Jun 16 2002 - 22:17:15 PDT

Next message: gobblesat_private: "Recent "rumors""

Previous message: Rich Henning: "Re [BUGTRAQ] : ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey guys ... just a little follow up and clarification about this issue. 
It has been brought to my attention that perhaps this is not a "Cross 
site scripting" issue but simply "Javascript injection?" (for lack of a 
better term). My main concern with this issue is simply the fact that by 
going to a gopher site the javascript is executed. One might argue that 
any site you view has the potential for javascript to be embeded in the 
html... so the question becomes are there any scenarios where this could 
pose an added security threat? I believe .cache files are created from 
the contents of the gopher directory so if someone has access to add 
files to a gopher server they may be able to trigger this for the 
clients that navigate to the site.

Comments?

-KF

Next message: gobblesat_private: "Recent "rumors""
Previous message: Rich Henning: "Re [BUGTRAQ] : ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 20:17:06 PDT