Think about Loose Coupling | |
PerlMonks |
Re: (ichimunki) Re: Security issues when allowing file upload via CGIby thraxil (Prior) |
on Dec 06, 2001 at 20:48 UTC ( [id://129983]=note: print w/replies, xml ) | Need Help?? |
never underestimate the stupidity of IE and outlook. if you take an html file, name it foo.jpg and send it with a mime-type of image/jpeg, IE 5 on the mac and IE 4 on windows will happily parse and render it as html. (probably some versions of outlook exhibit this broken behavior too). this technique was once used in a hotmail exploit. email someone a "jpg" and it could grab their password cookie and submit it to another site. if securityfocus hadn't changed the structure of their bugtraq archives and broken my bookmarks, i could give you a link... i don't think it's quite dumb enough to run an .exe the same way but there's still a lot of mischief that can be done with html+javascript/vbscript
In Section
Seekers of Perl Wisdom
|
|