mailing list archives
RE: exploits due to buggy validation
From: "Daniel Sichel" <daniels () Ponderosatel com>
Date: Thu, 15 Jul 2004 10:42:00 -0700
daniels () ponderosatel com (559) 868-6367
The correct solution to all such problems is simply to reject the
content as malformed. And guess what will happen when you do that?
Several really crappy web design products will disappear because the
folk using them will drop them because no-one can see their
the rest will suddenly become very inetrested in producing properly
compliant content, as they should have been from the outset.
Playing "guess what the moron really meant" is a recipe for being
screwed, so let's get over the previous "need" to "see it at
and get some sense back into what folk are doing...
Sorry but you couldn't be more wrong. PHBs will require security
technicians to open holes in the firewall to permit the buggy content.
The companies using web design products that produce crap pages won't
drop them. They will blame it on Apache, which won't be believed and on
Microsoft IIS, which will be. Microsoft will "extend" the tag standard
to allow this behavior and Mcafee will develop patterns to detect them
as fast as they can. Don't believe me? Do you have IM inside your
firewall? How about Macromedia Flash? Any Realplayer users?
The bad drives out the good.
Full-Disclosure - We believe in it.
- RE: exploits due to buggy validation Daniel Sichel (Jul 15)