On Fri, 28 Mar 2008 12:12:03 -0400, Tony Harminc wrote:
>On 27/03/2008, Bruce Hewson wrote:
>
>> I would assume, like on some web screens we use here, that the text input
>> fields are not "transparent". By that I mean the characters entered are
>> treated
>> as HTTP control characters, or something like that.
>
>This sort of behaviour on a web page is a great place to look for
>security holes like code injection. Maybe that would help IBM see the
>light.
>
IBM says:
We are aware of this issue and the development team is working
on a fix. The problem is with less than and greater than
symbols being interpreted as HTML tags.
In most cases, using the "Printable version" link at the
bottom of the page is the workaround. However, there have
been some ...
A truly naive blunder, particularly given that they were able to get
it right on one page but not on another from the same source.
(and the "Printable version" is naive in its own way: I looked at
the raw HTML and it uses " " pervasively, pointlessly between
<PRE> and </PRE> tags. And I can imagine some printers considering
NBSP (ASCII 0xA0) not to be very "Printable".)
I wonder what would happen if someone were to take an open-source
3270 emulator (or browser) and hack it to transmit 3270 command
codes in the POST data? One might thus create a page that would
display correctly in a browser but fail with TERMINAL ERROR
on a 3270.
There's a thread ongoing in MVS-OE on CGI security. The first
principle is: don't trust data received over the network. The
second is: don't trust Javascript validation on the client side.
Always remember that your potential adversary controls the client.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
