• To: Elliotte Rusty Harold <elharo@m...>
• Subject: Re: XInclude: security risk 1
• From: Rich Salz <rsalz@d...>
• Date: Sat, 26 Oct 2002 22:15:05 -0400 (EDT)
• Cc: "xml-dev@l..." <xml-dev@l...>
• In-reply-to: <p04330100b9e080b82819@[192.168.254.4]>

> Once a local user has loaded this into a web browser from behind the
> firewall, the original host site or some other remote site can easily
> determine whether some document exists on some server that would not
> normally be accessible to it.

Interesting idea.  It would be easy, for example, for an adversary to
determine the system type by looking for things like /linux vs
C:\PROGRA~1.  Knowing that would help them attack.
	/r$

• References:
  • XInclude: security risk 1
    • From: Elliotte Rusty Harold <elharo@m...>

• Prev by Date: RE: [ANN] "Future of Software and Databases" NetSeminar (December 3)
• Next by Date: Re: Are XML's Good Ideas hidden? (was Re: Re: What are Sc...
• Previous by thread: Re: XInclude: security risk 1
• Next by thread: Re: XInclude: security risk 1
• Index(es):
  • Date
  • Thread