Bugtraq mailing list archives
Re: [Fwd: Re: Cross-Site Request Forgeries (Re: The Dangers ofAllowing Users to Post Images)]
From: Mark Tinberg <mtinberg () securepipe com>
Date: Tue, 19 Jun 2001 17:02:52 -0500
Lincoln Yeoh wrote:
And if Microsoft Word becomes very intertwined with IE (word uses IE to fetch stuff) then word documents with image/object links will also be an issue. Mix well and add a few macros to taste ;).
While MS is the big wide target, it isn't just them that need to worry. 1) Many other pieces of software, including mail clients, use the mshtml.dll library and can inherit any security bugs. I seem to fuzzily remember Eudora mail and Novell GroupWise client allowing JavaScript popups and probably being vulnerable to a whole host of vulnerabilities. Luckily most vulnerabilities are targeted at Outlook and OE but could be recoded to use other email clients. 2) Other environments that provide tight integration of components (I'm thinking of KDE/Konqueror since I am a user of it) may also be vulnerable to these issues. I don't really know how other environments/object models deal with these issues, it would be nice to hear from the various development teams/companies and how they have dealt with these issues. -- Mark Tinberg <MTinberg () securepipe com> Network Security Engineer SecurePipe, Inc. -- Managed Network Security Services Remember: Wherever you go, there you are!
Current thread:
- [Fwd: Re: Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)] Peter W (Jun 18)
- Re: [Fwd: Re: Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)] Lincoln Yeoh (Jun 19)
- Re: [Fwd: Re: Cross-Site Request Forgeries (Re: The Dangers ofAllowing Users to Post Images)] Mark Tinberg (Jun 22)
- Re: [Fwd: Re: Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)] Lincoln Yeoh (Jun 19)