[EMAIL PROTECTED] ([EMAIL PROTECTED]):
> I am trying to decode what was meant by this: > It is easy for an attacker to insert arbitrary strings into any web > server logfile. If these strings are then analysed by analog, they can > appear in the report. By this means an attacker can introduce > arbitrary Javascript code, for example, into an analog report produced > by someone else and read by a third person. Analog already attempted > to encode unsafe characters to avoid this type of attack, but the > conversion was incomplete. > Can someone give me an example of how this is or can be a real problem. It is basically an extension if this exploit: http://www.cert.org/advisories/CA-2000-02.html > I am not a JAVA developer but have an extensive C/UNIX background. Java has no bearing on this. JavaScript is a different language entirely and can be embedded in HTML pages to be run on the client. http://developer.netscape.com/js/ -- Jeremy Wadsack Wadsack-Allen Digital Group +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
