oss-sec mailing list archives
Re: Terminal escape sequences - the new XSS for admins?
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 11 Aug 2015 23:34:50 +0200
* Steve Grubb:
In my survey recently, Some emulators could set the window title; none of them supported reading the window title back to the command prompt. If you find one that does, it is one that is at risk.
Upstream xterm has other problematic window ops enabled by default. Debian should disable all of them since xterm version 251-1, but this is a downstream-specific change. (Upstream documentation is also a bit misleading, AFAICS.)
Current thread:
- Terminal escape sequences - the new XSS for admins? Kurt Seifried (Aug 11)
- Re: Terminal escape sequences - the new XSS for admins? Daniel Kahn Gillmor (Aug 11)
- Re: Terminal escape sequences - the new XSS for admins? Steve Grubb (Aug 11)
- Re: Terminal escape sequences - the new XSS for admins? Stephane Chazelas (Aug 11)
- Re: Terminal escape sequences - the new XSS for admins? Florian Weimer (Aug 11)
- Re: Terminal escape sequences - the new XSS for admins? Andy Lutomirski (Aug 11)
- Re: Re: Terminal escape sequences - the new XSS for admins? Steve Grubb (Aug 11)
- Re: Re: Terminal escape sequences - the new XSS for admins? Robert Święcki (Aug 12)
- Re: Re: Terminal escape sequences - the new XSS for admins? Dave Horsfall (Aug 12)
- Re: Terminal escape sequences - the new XSS for admins? Steve Grubb (Aug 11)
- Re: Terminal escape sequences - the new XSS for admins? Daniel Kahn Gillmor (Aug 11)
- Re: Terminal escape sequences - the new XSS for admins? Solar Designer (Aug 17)
- Re: Terminal escape sequences - the new XSS for admins? Michal Zalewski (Aug 31)
- Re: Terminal escape sequences - the new XSS for admins? Michal Zalewski (Aug 31)