> Is there a technique or process that we can test this vulnerability?
>
> I have not heard of this before, am glad to do some extensive testing.
OK, first of all, here's the advisory:
<http://www.cert.org/advisories/CA-2000-02.html>
Here's a summary. Users can send data to you that contains HTML, including
<SCRIPT> tags. If you display what they send you without filtering it,
the script will execute in whoever's browser requests it. That could be
bad. Browser are extremely buggy and new bugs are continually found that
allow scripts to do nasty things. So, you should protect everyone by
not allowing anyone to embed malicious HTML in messages they send you. This
is not just for obvious things like posting to a BBS, but also for things
you might not expect. What if you print the User-agent string inside an
HTML comment?
How do we know that FreeTrade doesn't allow this? We can't ever prove a
negative, but we can feel very confident if we inspect the code. The only
technique I can suggest is to read each line and consider "what if".
Leon
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Site: http://www.working-dogs.com/freetrade/
Problems?: [EMAIL PROTECTED]
