DLR (news22@raleighthings.com) Thu, 13 Jul 2006 03:10:15 -0400

Review Index Sorted By: [ date ][ thread ][ subject ][ author ] Next message: DLR: "Re: Pre A/C Central Office Ventilation?" Previous message: ranck@vt.edu: "Re: Back to Being a Luddite (Oh Well)" May be in reply to: hancock4@bbs.cpcn.com: "Back to Being a Luddite (Oh Well)" Next in thread: hancock4@bbs.cpcn.com: "Re: Back to Being a Luddite (Oh Well)" TELECOM Digest: Home Page

sidd@situ.com wrote: > In article <telecom25.255.8@telecom-digest.org>, mc > <look@www.ai.uga.edu.for.address> wrote: >> I don't think it does. Has anyone made measurements? Text files and >> graphics don't have to be checked, only executable code. > I believe there have been several overflows found in image processing > libraries (jpeg,pdf,tiff...) used by popular browsers and image > viewers. > I am also aware of atleast one entirely text based attack on a hole in > a java runtime engine. > sidd Yep. Buffer overruns are the biggest issue with web stuff. Shove more of something than is expected at just the right time and a badly coded something will barf or let it over write some code. And if that code can later be forced to execute then you have a way to stuff your own code into the system and have it execute. I saw a writeup about one of the biggies that his MS servers a few years back and the actual inserted code was maybe 20 or 40 characters. So it doesn't take much. And it doesn't have to be "code" that your browser thinks it is being fed. Text, graphics, code, etc ... are just lables. It's all bits.

Post Followup Article	Use your browser's quoting feature to quote article into reply
Go to Next message: DLR: "Re: Pre A/C Central Office Ventilation?"
Go to Previous message: ranck@vt.edu: "Re: Back to Being a Luddite (Oh Well)"
May be in reply to: hancock4@bbs.cpcn.com: "Back to Being a Luddite (Oh Well)"
Next in thread: hancock4@bbs.cpcn.com: "Re: Back to Being a Luddite (Oh Well)"
TELECOM Digest: Home Page