Cert advisory CA-2000-02 Malicious HTML Tags Embedded in Client
Web Requests
Bert Freudenberg
bert at isgnw.CS.Uni-Magdeburg.De
Thu Feb 3 11:19:46 UTC 2000
On Wed, 2 Feb 2000 agree at carltonfields.com wrote:
> A web site may inadvertently include malicious HTML tags or script in
> a dynamically generated page based on unvalidated input from
> untrustworthy sources. This can be a problem when a web server does
> not adequately ensure that generated pages are properly encoded to
> prevent unintended execution of scripts, and when input is not
> validated to prevent malicious HTML from being presented to the user.
>
> Advisory may be found at:
> http://www.cert.org/advisories/CA-2000-02.html
>
> Should we react to this with respect to the Squeak Swiki regarding
> <SCRIPT> tags?
I'm not sure. It's not only script tags. It would prevent swiki authors to
put "active content" into a page. OTOH Swikis are mostly about text and
images.
BTW, the vulnerability occurs in the strangest places - copy this link to
your browser: http://minnow.cc.gatech.edu/<SCRIPT>alert("EVIL")</SCRIPT>
and look at the page source code. Now this one is trivial to fix
(SwikiAdmins: insert "XmlSwikiPage toXml format: ..." into
*/actions/url.*), but still ...
-Bert-
More information about the Squeak-dev
mailing list
|