[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Simple] <note> in IMDN
Eric,
I don't understand. I am slow I know. Please explain in detail how are
other fields like Subject in SIP, <note> in presence, or any other
field that allows strings or token to be entered not unconstrained and
not free-form while this one is?
Please don't reply with a one liner.
Thanks,
Hisham
On 21/05/2008, Eric Burger <eburger at standardstrack.com> wrote:
> Because it is unconstrained and by definition free-form.
>
>
> On May 20, 2008, at 7:22 PM, Hisham Khartabil wrote:
>
> > On 21/05/2008, Dean Willis <dean.willis at softarmor.com> wrote:
> >
> > >
> > > On May 13, 2008, at 11:38 PM, Hisham Khartabil wrote:
> > >
> > >
> > > > Can you explain how it is an attack vector?
> > > >
> > > >
> > >
> > >
> > > Unconstrained rich content is one of the most easily exploited attack
> > > vectors.
> > >
> >
> > How is this different from every other header or part of an XML body
> > in SIP, MSRP, IMPP or any other protocol that allows text to be
> > entered in a field? Why is this particular <note> giving people grief?
> >
> >
> > >
> > > Buffer overrun attacks as well as all of the typical MIME
> compound-component
> > > attacks are likely. For example, the common JPEG vulnerabilities might
> be
> > > exploitable:
> > >
> > >
> http://www.news.com/Image-virus-spreads-via-chat/2100-7349_3-5390463.html
> > >
> > >
> > > Or the content-execution weakness that caused the Macintosh Safari
> browse to
> > > be most easily exploited in recent hacking contests:
> > >
> > >
> http://www.engadget.com/2007/07/23/safari-exploit-gives-hackers-full-control-of-your-iphone/
> > >
> > >
> > > There have also been exploits against QuickTime, Flash, and most other
> > > plugin components from time to time.
> > >
> > > --
> > > Dean
> > >
> > >
> >
>
>
_______________________________________________
Simple mailing list
Simple at ietf.org
https://www.ietf.org/mailman/listinfo/simple