Re: [analog-help] Help Understanding Bug Found

Mon, 25 Mar 2002 10:04:01 -0800 


Jeremy,

Thanks for the link and the info.   It is much clearer now.

Michael


                                                                
 Internet Mail Message                                          
 Received from host:      pop1.isite.net                        
 [64.209.164.9]                                                 
                                                                


From: "Jeremy Wadsack" <[EMAIL PROTECTED]> on 03/25/2002 05:41 PM GMT
                                                                                   
             "Jeremy Wadsack"           To:   [EMAIL PROTECTED]          
 <[EMAIL PROTECTED]>           Cc:    (bcc: Mike Jenkins-MW/PGI)          
                                Subject:      Re: [analog-help] Help Understanding 
                                     Bug Found                                     
          03/25/2002 12:41 PM                                                      
            Please respond to                                                      
  [EMAIL PROTECTED]                                                      
                                                                                   






[EMAIL PROTECTED] ([EMAIL PROTECTED]):

> I am trying to decode what was meant by this:

>      It is easy for an attacker to insert arbitrary strings into any web
>      server logfile. If these strings are then analysed by analog, they can
>      appear in the report. By this means an attacker can introduce
>      arbitrary Javascript code, for example, into an analog report produced
>      by someone else and read by a third person. Analog already attempted
>      to encode unsafe characters to avoid this type of attack, but the
>     conversion was incomplete.

> Can someone give me an example of how this is or can be a real problem.

It is basically an extension if this exploit:

http://www.cert.org/advisories/CA-2000-02.html


> I am not a JAVA developer but have an extensive C/UNIX background.

Java has no bearing on this. JavaScript is a different language
entirely and can be embedded in HTML pages to be run on the client.

http://developer.netscape.com/js/


--

Jeremy Wadsack
Wadsack-Allen Digital Group

+------------------------------------------------------------------------
|  This is the analog-help mailing list. To unsubscribe from this
|  mailing list, go to
|    http://lists.isite.net/listgate/analog-help/unsubscribe.html
|
|  List archives are available at
|    http://www.mail-archive.com/[email protected]/
|    http://lists.isite.net/listgate/analog-help/archives/
|    http://www.tallylist.com/archives/index.cfm/mlist.7
+------------------------------------------------------------------------



+------------------------------------------------------------------------
|  This is the analog-help mailing list. To unsubscribe from this
|  mailing list, go to
|    http://lists.isite.net/listgate/analog-help/unsubscribe.html
|
|  List archives are available at
|    http://www.mail-archive.com/[email protected]/
|    http://lists.isite.net/listgate/analog-help/archives/
|    http://www.tallylist.com/archives/index.cfm/mlist.7
+------------------------------------------------------------------------

Reply via email to