Linux Today: Linux News On Internet Time.

More on LinuxToday Cross Site Scripting Info

Feb 04, 2000, 19:50 (1 Talkback[s])

"This page contains information about the Cross Site Scripting security issue, how it impacts Apache itself, and how to properly protect against it when using Apache related technologies."

"We would like to emphasize that this is not an attack against any specific bug in a specific piece of software. It is not an Apache problem. It is not a Microsoft problem. It is not a Netscape problem. In fact, it isn't even a problem that can be clearly defined to be a server problem or a client problem. It is an issue that is truly cross platform and is the result of unforeseen and unexpected interactions between various components of a set of interconnected complex systems."

"We would also like to point out that it is important to understand that this is not the old, well known issue, that if a site allows user A to submit content that is viewed by user B, it has to be properly encoded. This vulnerability is when the content is both submitted and viewed strictly by user A. Due to the difficulty of properly encoding output in all situations, many sites do not worry about encoding data that is only shown to the user that sent the data in their request due to the mistaken assumption that this doesn't pose a security threat."

"This is a serious security issue, with potential implications that are only starting to be understood."

Complete story.

Related Stories: