[Mailman-i18n] Pipermail and non-English lists
Martin v.Löwis
loewis@informatik.hu-berlin.de
Thu Nov 21 17:18:47 2002
barry@python.org (Barry A. Warsaw) writes:
> Yeah, but the online docs make no mention of this. What specifically
> are the security vulnerabilities?
You can arrange for "cross-site scripting". If you manage to put UTF-7
into some page, utf-7 decoding this could result in, say,
<script src="some.hostile.com">data</script>
The server-side filter may fail to detect the markup in the input, as
it isn't prepared to see encoding which aren't ASCII-compatible.
You have to bend your mind quite a bit, to make a number of
unreasonable assumptions, for this to result in a successful attack.
See
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/csoverv.asp
for Microsofts explanation of this issue.
Regards,
Martin
More information about the Mailman-i18n
mailing list