[Sussex] Yet Another Windows Bug
davidfalk at btinternet.com
davidfalk at btinternet.com
Sat May 3 12:22:02 UTC 2003
> [1] Add a small amount of HTML to the end of all EMAILs containing
> malformed HTML
>
> [2] Add a rewrite rule in apache that passes a little malformed HTML to
> the clients.
lots of ways, e.g. cross site scripting
http://www.jobs.telegraph.co.uk/Admin/LogonErrors.asp?Error=<form><input type crash></form>
(no idea if above example works not got ie to hand), hide in a link in an html email etc, lots of ways it can be used (similar shoveing other rather more narsty ie problems to get a greater effect then just crashing the browser)
another exmaple is guestbooks or similar on webpages. silly mentioned to some younger friends of mine that lots of guestbooks/similar don't do filtering on what you put in, so for insantce you could insert javascript. 10 minutes later they were inserting refresh's going to gotse.cx into big web sites :/
2 extremely simple examples
> ps.
> I use Mozilla and Mutt ... whats a Crash ?
won't comment heh.
David Falk
(david.falk at btinternet.com)
(davidfalk at lincore.co.uk)
More information about the Sussex
mailing list