Anyway, I thought I'd go have a look myself, and here is a little snippet which works in both IE and Firefox;
<input type_="password" type=`password`>
Whether this is what Chapin Information Services found is unclear since they didn't release anything, but what is clear is that MySpace clearly understand the Non-Digit-Non-Alpha issue extends to all attributes, nor do they seem to understand that IE also allows grave accents (`) to be used instead of (single or double) quotes.
I really don't understand how many times they need to fix these issues before they begin to understand them.
4 comments:
If you have not already looked at this,
http://www.info-svc.com/news/11-21-2006/rcsr1/
I could get a feel of what the issue is, by looking at this link.
Oh no, I understand what the issue is, what I was talking about is the fact that MySpace had 'fixed' the issue last year, and now blocks type=password type='password' and type="password" and so people who had examined the filter had thought the issue fixed.
Yesterday they published this article: http://www.info-svc.com/news/01-29-2007/myspace/ saying that MySpace hadn't completely fixed the issue, but they didn't provide any details about what MySpace was not blocking.
And so it was not possible to actually verify the existence of the holes they were talking about, other than by finding them myself. And even if it only took me 2 minutes to verify it wasn't fixed, it could probably take other people a bit longer, and hence wastes everyone's time.
Ok. Now I understand what you are saying.
But isn't it better not to disclose it until they completely fix it?
Probably, but it still annoys me.
I just think its a completely useless piece of news because other than generating hype/paranoia which doesn't really help anything, it discloses no information, it gives users no recomendations (such as turning off or disabling or removing passwords from the password manager), and provides other people who may have thought MySpace's fix adequate with no example attack/defence so that they can improve their own code.
But then again, I think that if vendors screw up and write insecure software (and yes it is a screw up on the vendor's part), then that's their fault, and they don't deserve special any special treatment in being told about vulnerabilities.
Post a Comment