Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: Wrapping Scripted Media in RSS: Secure?
 What I came out of it with was: - if people want to put executable code in rss and build clients that execute it, they will. - if they do they will have seroius security issues to deal with - if the RSS community starts a process to specify the details of executable content in such a way that it is safe to use, it should be informed by the fact that this is inherently unsafe Sub-points: - it's not the messages that provide exploits, it's the recipient - the message doesn't HAVE to be executable in order for there to be client exploits, but it sure does help - outlook [expletive deleted] --->Nathan > -----Original Message----- > From: Bullard, Claude L (Len) [mailto:len.bullard@i...] > Sent: Friday, September 23, 2005 1:07 PM > To: 'Ken North'; xml-dev@l... > Subject: RE: Wrapping Scripted Media in RSS: Secure? > > So overall, the original thread conclusion and Bill Kearney > are right: RSS should resist scripted content regardless > of market pressures? > > len > > > From: Ken North [mailto:kennorth@s...] > > Robert Koberg wrote: > > But isn't this more about server admins than possible problems with > > script in content? > > > > How can their be problems if the script cannot be executed? > > Given that we've seen security threats related to > non-executable content, > you > comment about server administration hits the nail on the head. > > 1. Vulnerabilities related to XML, DTD, XML-RPC and SOAP processing: > http://www.webservicessummit.com/Vulnerabilities.htm > > 2. SQL injection vulnerabilities are epidemic. > > 3. MP3, WMA, AVI, PNG and JPEG have been exploited. The > problem is often a > buffer overrun that can be exploited by constructing a file > to cause the > overrun > and allow malware to execute. > > There's a worm that exploited a vulnerability in some Windows > apps that read > JPEG images. One of the MP3 exploits uses an ID3 tag. > There have been vulnerabilities in media players (Flash > Player, RealPlayer, > Windows Media Player, MPlayer). > > ----------------------------------------------------------------- > The xml-dev list is sponsored by XML.org <http://www.xml.org>, an > initiative of OASIS <http://www.oasis-open.org> > > The list archives are at http://lists.xml.org/archives/xml-dev/ > > To subscribe or unsubscribe from this list use the subscription > manager: <http://www.oasis-open.org/mlmanage/index.php> > 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
