[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RE: Invision Vulnerabilities, including remote code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: RE: Invision Vulnerabilities, including remote code execution
From: mattmecham@xxxxxxxxx
Date: 10 Jul 2006 09:57:13 -0000

We have cleaned up much of the post parser in a recent security update which 
included removing the block of code that attempts to decode hex entities into 
HTML.

Part of the problem is trying to balance a feature rich application against 
various browser bugs (of which IE is the worst culprit for rendering what 
should be considered safe HTML code) and programatically safe code.

Prev by Date: LAMP vs Microsoft
Next by Date: Re: [KAPDA::#46] - AjaxPortal Authentication Bypass
Previous by thread: Re: LAMP vs Microsoft
Next by thread: ERNW Security Advisory 02/2006 - Buffer Overflow in sipXtapi (used in AOL Triton)
Index(es):
- Date
- Thread