Dear gobbles@hushmail.com,
First, thanks for findings anyway. I do treat CSS problem you found as a
security problem, because if any attack against client could be
prevented by server it should.
BUT
ghc> GOBBLES LABS has tested various versions of Netscape and Galeon.
ghc> Blue Boar, we'll have to disagree with you here since we're sure
ghc> the number of people using these browsers is much higher than the
ghc> total number of sites using the collective mass of scripts
ghc> vulnerable to cross-scripting attacks that have made their debut on
ghc> Vuln-Dev. With the work of Georgi Guninski (www.guninski.com),
ghc> would you really use IE?
Netscape and Netscape 4.x is not the same things. Netscape 4 is really
weak. It's also possible to have a crossite scripting in Netscape by
using nearly undocumented mocha:// reference. For example,
mocha:alert('Hello world')
works fine in Netscape 4.7x. And I'm not sure that's all about Netscape
surprises. Do you wanna check all websites/chats/guestbooks for this
issue? :))
Netscape 4.xx has more security problems than any Internet Explorer
version. It has: multiple buffer overflows, local files and crossite
access (bohttpd bug is really funny), multiple information leakages,
etc. So, one who cares about security will never use older Netscape
versions. Check Bugtraq archives.
--
~/ZARAZA
Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)
