Re: [OT] "Hacker Safe"

This WebDNA talk-list message is from

2007


It keeps the original formatting.
numero = 69482
interpreted = N
texte = Hi Donovan I use Hacker Safe for some of my clients. The biggest problem that I had (not really big) was if someone put a script into a textarea and the script was then processed, to solve the problem make sure all textarea entries are URL'd so that they won't return "<" or ">" this then stops any script for processing On 15/11/2007, at 11:58 AM, Donovan Brooke wrote: > Hello, > > I am working with a client that uses a service called > "hacker safe". They notified me of a "volnurability" > in a site I've been working on that involves sending > javascript in a URL. I am trying to determine the > scope of this "volnurability" as it seems just about > every dynamic site on the planet is suseptable to this. > > For example, use this URL to access the Apple store > which appears to be volnurable in the same way. > (you may have to repair email linebreaks before using): > > http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?nnmm=browse&mco=%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22&node=home/shop_iphone/family/iphone > > > What kind of "harmful" javascript could replace the > non-harmful example 123 script?... > > Hacker Safe says: > The damage caused by such an attack can range from stealing > session and cookie data from your customers to loading a > virus payload onto their computer via browser. > > stealing "session" info does not sound good... I never > store anything sensitive in cookies, so I don't think > that is a problem. I have no idea what "loading a virus > payload onto their computer via browser" means. > > What's your thoughts? > > Donovan > > > > -- > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > DONOVAN D. BROOKE EUCA Design Center > > <- Web Development (specializing in eCommerce),-> > <- Desktop Publishing, Print Consulting, Labels -> > <- Glass Blowing, and Art Glass -> > > PH/FAX:> 1 (608) 770-3822 > Web:> http://www.egg.bz | http://www.euca.us > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  2. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  3. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  4. Re: [OT] "Hacker Safe" ( Clint Davis 2007)
  5. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  6. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  7. Re: [OT] "Hacker Safe" ( Stuart Tremain 2007)
  8. [OT] "Hacker Safe" ( Donovan Brooke 2007)
Hi Donovan I use Hacker Safe for some of my clients. The biggest problem that I had (not really big) was if someone put a script into a textarea and the script was then processed, to solve the problem make sure all textarea entries are URL'd so that they won't return "<" or ">" this then stops any script for processing On 15/11/2007, at 11:58 AM, Donovan Brooke wrote: > Hello, > > I am working with a client that uses a service called > "hacker safe". They notified me of a "volnurability" > in a site I've been working on that involves sending > javascript in a URL. I am trying to determine the > scope of this "volnurability" as it seems just about > every dynamic site on the planet is suseptable to this. > > For example, use this URL to access the Apple store > which appears to be volnurable in the same way. > (you may have to repair email linebreaks before using): > > http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?nnmm=browse&mco=%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22&node=home/shop_iphone/family/iphone > > > What kind of "harmful" javascript could replace the > non-harmful example 123 script?... > > Hacker Safe says: > The damage caused by such an attack can range from stealing > session and cookie data from your customers to loading a > virus payload onto their computer via browser. > > stealing "session" info does not sound good... I never > store anything sensitive in cookies, so I don't think > that is a problem. I have no idea what "loading a virus > payload onto their computer via browser" means. > > What's your thoughts? > > Donovan > > > > -- > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > DONOVAN D. BROOKE EUCA Design Center > > <- Web Development (specializing in eCommerce),-> > <- Desktop Publishing, Print Consulting, Labels -> > <- Glass Blowing, and Art Glass -> > > PH/FAX:> 1 (608) 770-3822 > Web:> http://www.egg.bz | http://www.euca.us > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

How to archive....? (1998) Re:Has this happened to you? (was:Emailer Chokes on bad address) (1997) two unique banners on one page (1997) WebCatalog Mac 2.1b3 (1997) URL for Discussion Archive (1997) Frames (1997) WebTen and WebCat (1997) Document Contains No Data! (1997) Bug or syntax error on my part? (1997) Help! WebCat2 bug (1997) Show if time tags (1997) OT: [WAY IN RIGHT FIELD SOMEWHERE] Spam Filters (2005) WebCat2b12 - nesting [tags] (1997) 9 digit zip (2002) WebCat2: Items xx to xx shown, etc. (1997) Three new problems, maybe a fourth (1997) Converting spaces to + in results list (2000) shipcost (1997) shoppingcart reload qty (1997) Accented chars and emailer (1998)