« AMP, geo-restrictions | Main | Flash Lite talks with J2ME »
April 21, 2008
Noteworthy injection
Noteworthy injection: User-generated content is great, but you can't trust it, and must vet it before republishing it. This weekend the Barack Obama website accepted a comment from a visitor but did not strip out angle-brackets and quotemarks. The result was a page whose new user-generated JavaScript content redirected to the Hillary Clinton website. See Wikipedia for an intro to the need of protecting your formfields from injected commands by visitors, and XSSed for additional details on the political redirect. Me, I'm hoping the next debate has a question about how each candidate feels about cross-site scripting exploits, and whether libraries like Scriptaculous should always insist upon formfield validation.... ;-)
Posted by JohnDowdell at April 21, 2008 01:41 PM
Trackback Pings
TrackBack URL for this entry:
http://weblogs.macromedia.com/mtadmin/mt-tb.cgi/9377
Comments
I got this info in mail but is the PS and AE part bogus?
[jd sez: Different issue. I don't have background, and saw it in the newspapers this morning myself. Check Adobe Security blogs, or Photoshop etc blogs, for most pertinent info. All user input must be validated; even BMP headers it seems.]
http://secunia.com/advisories/29838/
Secunia Advisory: SA29838
Release Date: 2008-04-22
Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Adobe After Effects CS3
Adobe Photoshop Album Starter Edition 3.x
Posted by: rich at April 22, 2008 08:55 AM