Re: Fwd: GOBBLES RESPONSE TO THE BLUE BOAR ("fixed version")

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear gobbles () hushmail com,

First, thanks for findings anyway. I do treat CSS problem you found as a
security  problem,  because  if  any  attack  against  client  could  be
prevented by server it should.

BUT

ghc> GOBBLES  LABS  has  tested various versions of Netscape and Galeon.
ghc> Blue  Boar,  we'll  have to disagree with you here since we're sure
ghc> the  number  of people using these browsers is much higher than the
ghc> total  number  of  sites  using  the  collective  mass  of  scripts
ghc> vulnerable to cross-scripting attacks that have made their debut on
ghc> Vuln-Dev.  With  the  work  of  Georgi Guninski (www.guninski.com),
ghc> would you really use IE?

Netscape  and  Netscape 4.x is not the same things. Netscape 4 is really
weak.  It's  also  possible  to have a crossite scripting in Netscape by
using nearly undocumented mocha:// reference. For example,

 mocha:alert('Hello world')

works  fine in Netscape 4.7x. And I'm not sure that's all about Netscape
surprises.  Do  you  wanna  check all websites/chats/guestbooks for this
issue? :))

Netscape  4.xx  has  more  security  problems than any Internet Explorer
version.  It  has:  multiple  buffer overflows, local files and crossite
access  (bohttpd  bug  is  really funny), multiple information leakages,
etc.  So,  one  who  cares  about security will never use older Netscape
versions. Check Bugtraq archives.


-- 
~/ZARAZA
Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)