<<< Date Index >>> <<< Thread Index >>>

Re: Security Advisory for ALL forum services with client-set images

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Security Advisory for ALL forum services with client-set images
From: Stefan Paletta <stefanp@xxxxxxxxxx>
Date: Thu, 23 Dec 2004 09:50:40 +0100
In-reply-to: <20041222100344.12092.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20041222100344.12092.qmail@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: Stefan Paletta <stefanp-exp-1104396643.9142e1@xxxxxxxxxx>
User-agent: Mutt/1.5.6i

James Bandara wrote/schrieb/scripsit:

To block this I suggest you edit your service to only accept links thatend in image formats for images before the querystring.

That doesn't really help ─ the attacker can send a HTTP redirect from aninnocent-looking URL.


-Stefan
--
junior guru   SP666-RIPE     JID:stefanp@xxxxxxxxxxxxxxxx    SMP@IRC

References:
- Security Advisory for ALL forum services with client-set images
  - From: James Bandara

Prev by Date: Re: DJB's students release 44 *nix software vulnerability advisories
Next by Date: Re: DJB's students release 44 *nix software vulnerability advisories
Previous by thread: Security Advisory for ALL forum services with client-set images
Next by thread: Re: Security Advisory for ALL forum services with client-set images
Index(es):
- Date
- Thread