Hi! This is the ezmlm program. I'm managing the
webappsecsecurityfocus.com mailing list.

I'm working for my owner, who can be reached
at webappsec-ownersecurityfocus.com.

Messages to you from the webappsec mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.

If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the webappsec mailing list,
without further notice.

I've kept a list of which messages from the webappsec mailing list have
bounced from your address.

Copies of these messages may be in the archive.

To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
   <webappsec-get.123_145securityfocus.com>

To receive a subject and author list for the last 100 or so messages,
send an empty message to:
   <webappsec-indexsecurityfocus.com>

Here are the message numbers:

   834

--- Enclosed is a copy of the bounce message I received.

Return-Path: <>
Received: (qmail 11027 invoked from network); 8 Feb 2002 03:08:04 -0000
Received: from mail.securityfocus.com (HELO securityfocus.com) (66.38.151.9)
  by lists.securityfocus.com with SMTP; 8 Feb 2002 03:08:04 -0000
Received: (qmail 32764 invoked by alias); 8 Feb 2002 03:07:10 -0000
Received: (qmail 32760 invoked from network); 8 Feb 2002 03:07:10 -0000

  by mail.securityfocus.com with SMTP; 8 Feb 2002 03:07:10 -0000

        id B9CA71C048; Thu, 7 Feb 2002 21:14:34 -0600 (CST)
Date: Thu, 7 Feb 2002 21:14:34 -0600 (CST)

Subject: Undelivered Mail Returned to Sender

MIME-Version: 1.0
Content-Type: multipart/mixed;

This is a MIME-encapsulated message.

Content-Description: Notification
Content-Type: text/plain

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

If you do so, please include this problem report. You can
delete your own text from the message returned below.

                        The Postfix program


Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27])


Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
        by outgoing.securityfocus.com (Postfix) with QMQP
        id 9AC1FA30A5; Thu, 7 Feb 2002 20:01:18 -0700 (MST)
Mailing-List: contact webappsec-helpsecurityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <webappsec.list-id.securityfocus.com>
List-Post: <mailto:webappsecsecurityfocus.com>
List-Help: <mailto:webappsec-helpsecurityfocus.com>
List-Unsubscribe: <mailto:webappsec-unsubscribesecurityfocus.com>
List-Subscribe: <mailto:webappsec-subscribesecurityfocus.com>
Delivered-To: mailing list webappsecsecurityfocus.com
Delivered-To: moderator for webappsecsecurityfocus.com
Received: (qmail 10736 invoked from network); 8 Feb 2002 03:06:36 -0000
Message-Id: <3.0.5.32.20020208111255.00810a80192.228.128.13>
X-Sender: lyeoh192.228.128.13
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32)
Date: Fri, 08 Feb 2002 11:12:55 +0800
To: "josh smith" <pen_testerhotmail.com>,
        <webappsecsecurityfocus.com>
From: Lincoln Yeoh <lyeohpop.jaring.my>
Subject: Re: Webappsec FAQ?
In-Reply-To: <OE638QVjp3b6uIU1Gj000006a94hotmail.com>
References: <AKEEKGDHBDNGMKLFCHLEMEEFCCAA.elandaryl.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

By the way, any of you have more suggestions on my original question - how
to display HTML with the active stuff removed?

I'm trying to display HTML as _HTML_, not text. Displaying HTML as text is
near trivial.

Thanks,
Link.

At 09:34 AM 07-02-2002 -0600, josh smith wrote:
>Follow the Cert Advisory and encode all special characters (% and ' and "
>and < and > and |). Specifically, encoding just < and > in a dynamic web
>application that ultilize forms will not stop JavaScript injection. You
>will be limited but it is still possible and the extent of the exploit
>really depends on the application. Don't just think of CSS think of other
>things like SQL injection and other types of input validation attacks
>(buffer overflows etc etc). This all falls under Input Validation. Never
>trust client input in anyway.
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]