Bugtraq mailing list archives
Re: Fwd: CERT Advisory CA-2000-02
From: fury () NEXXUS NET (fury)
Date: Thu, 3 Feb 2000 12:04:53 -0800
On Thu, 3 Feb 2000 Shockro () AOL COM wrote:
I'm curious as to how this could be used in a malicious manner, as opposed to just being an annoyance. I mean, god forbid, people should execute arbitrary javascript on us. Yes, we've all seen the file upload form exploit and the 1001 ways to crash Internet Explorer through infinite loops, but there's nothing seriously harmful about this, am I right? Please correct me if I'm wrong.
The SSL scenario is the most interesting point for me. Let us assume you are buying something from amazon.com using your credit card. You fill out all the forms and click on submit. Malicious code in this example would send your POST request to the intended secure server, but also could send another POST to a different server. If the second server is not SSL capable, a warning dialogue would be brought up. But if it is SSL capable, an unsuspecting user would never know. Other problems, which are probably nuisances, is that malicious code can obtain readable attributes and variables available in the browser object ( in javascript ) which might have info you do not wish to share. As far as non secure methods of communicating, since you are throwing you info out into the great void, you have nothing to hide, right? All in all, using the web is just as safe as crossing the street. Do it at your own risk... Rich
Current thread:
- Re: Bypass Virus Checking Russ Johnson (Jan 31)
- <Possible follow-ups>
- Re: Bypass Virus Checking Max Vision (Jan 31)
- Re: Bypass Virus Checking Martin Bene (Feb 02)
- Re: Bypass Virus Checking Bacano (Feb 01)
- Re: Bypass Virus Checking Brad Griffin (Feb 01)
- Re: Bypass Virus Checking Vladimir Dubrovin (Feb 02)
- Re: Bypass Virus Checking Brock Sides (Feb 01)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Fwd: CERT Advisory CA-2000-02 fury (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Henrik Nordstrom (Feb 05)
- Re: Fwd: CERT Advisory CA-2000-02 Byron Alley (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Len Budney (Feb 08)
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)
- recent 'cross site scripting' CERT advisory Tim Hollebeek (Feb 04)
- Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)