headers
nospam | 8 Sep 2005 21:58

Re: I see a lot of Hits on Port 80 TCP what are they ?

!:?) wrote:
> Hello,
> 
> I have Netscape for my ISP and they use AOL Servers.
> (They are owned by AOL)
> Using Netscape 7.2 Browser Email Client, Netscape ISP Dial-up.
> I switched ISP's several Months ago.
> 
> I see a large number of Hits on Port 80, some are Web Sites, most are 
> users and never Seen so many hits on that Port before.
> Most of the IP's are AOL IP Blocks but not all.
> 
> Rule "Default Block HTTP Port 80 TCP" blocked (compaq,http).  Details:
> Inbound TCP connection
> Local address,service is (compaq,http)
> Remote address,service is (172.134.0.64,3837)
> Process name is "N/A"
> 
> They hit no matter if I have a Browser\Email Client up or not.
> I have been seeing this for several Months now.
> 
> The Firewall stops them and I'm not Worried about them but wondered what 
> they all were.
> 
> 
> Kevin

They want to know if you are running a server they can exploit.
Permalink | Reply | 0 comments |
headers
nospam | 8 Sep 2005 22:03

OpenSSL certs on Mozilla

I see mozilla browsers allow import of PKCS12 certs (I'm using mozilla 
on linux). There's a lot of documentation on creating certs for apache, 
but I'm looking for the command for creating a cert for mozilla that the 
web site owner can sign and then use for access to the private web page. 
I imagine the command starts something like "openssl pkcs12", but I'm 
not finding the rest of the command syntax. Can anyone tell me how to 
use openssl to create a self-signed cert for my mozilla browser to 
import (and to also be signed by the web site's own CA)?
Permalink | Reply | 2 comments |
headers
Frank Hecker | 9 Sep 2005 16:34

Re: OpenSSL certs on Mozilla

nospam wrote:
> I see mozilla browsers allow import of PKCS12 certs (I'm using mozilla 
> on linux). There's a lot of documentation on creating certs for apache, 
> but I'm looking for the command for creating a cert for mozilla that the 
> web site owner can sign and then use for access to the private web page. 
> I imagine the command starts something like "openssl pkcs12", but I'm 
> not finding the rest of the command syntax. Can anyone tell me how to 
> use openssl to create a self-signed cert for my mozilla browser to 
> import (and to also be signed by the web site's own CA)?

You'd be better off asking this question in the 
netscape.public.mozilla.crypto newsgroup (or the corresponding 
mozilla-crypto <at> mozilla.org mailing list).

Also, it's not clear to me what you want to do: Are you trying to 
SSL-enable the web server, and you just need the browsers to be able to 
recognize the server's certificate? (And if this is the case, it's not 
clear whether the server's certificate is self-signed or whether the web 
server's certificate is signed by a CA.)

Or are you trying to have the browsers do SSL client authentication to 
the web server (in which case each browser instance would need its own 
certificate and associated private key).

I recommend you re-post to the crypto newsgroup/mailing list, and 
provide a little more background on what you are trying to do.

Frank

--

--
(Continue reading)

Permalink | Reply | 1 comment |
headers
nospam | 12 Sep 2005 04:47

Re: OpenSSL certs on Mozilla

...
> I recommend you re-post to the crypto newsgroup/mailing list, and 
> provide a little more background on what you are trying to do.

I'll repost...but just in case you are curious, the web site is 
self-signed, and the browser owner will not be allowed onto the web 
pages unless they belong to a group of people who have their own 
personal ssl certs. Those personal ssl certs would be signed by my 
server's self-signed ca. Only I'm not finding documentation on how to 
create the key pairs in a format that mozilla can import, the pkcs12 
(the man page lists the option, but making it work is an entirely 
different topic...it's rather complicated).
Permalink | Reply | 0 comments |
headers
Frank Hecker | 15 Sep 2005 23:47

Tips on server-side URL sanitizing?

This is somewhat off-topic for this group, so I beg your forgiveness in 
advance: I am in the process of setting up a comments system on my 
personal blog, have been trying to determine how to properly filter 
user-submitted content to minimize the possibility of cross-site 
scripting attacks (including reading a number of articles on the topic 
[1]), and still have one or two questions. (One of my questions is 
actually about Firefox, to bring this back on topic a bit.)

(You may also ask: Frank, doesn't your blogging software take care of 
this? And I answer: No, since I was determined to be different, run 
Blosxom instead of WordPress, MT, etc., and am writing my own code to 
handle comments because I don't like the available options in Blosxom :-)

First, I won't be allowing HTML tags in submitted comments. My plan was 
to simply use the Perl CGI::EscapeHTML function (Blosxom is written in 
Perl) to convert '<', '>', double quote, and 0x8b and 0x9b to the 
corresponding HTML character entities prior to the submitted comment 
being saved and displayed. Is this sufficient, or should I be escaping 
other characters as well?

Second, and more important (because I'm still unclear on this): I'll be 
accepting URLs submitted with comments (as part of a email/URL text 
field), and I obviously need to do something with them to avoid XSS 
problems. The question is, what? I've gotten the impression that url 
encoding characters like '<' that might appear in submitted URLs is not 
a total solution, and that retaining characters like '<' in the URL, 
even in encoded form, could be a problem.

What's the recommended approach? One thought I had was to parse the URL, 
go through any query parameters one by one, decode them, totally strip
(Continue reading)

Permalink | Reply | 2 comments |
headers
Gervase Markham | 18 Sep 2005 23:27
Picon
Favicon
Gravatar

Re: Tips on server-side URL sanitizing?

Frank Hecker wrote:
> First, I won't be allowing HTML tags in submitted comments. My plan was 
> to simply use the Perl CGI::EscapeHTML function (Blosxom is written in 
> Perl) to convert '<', '>', double quote, and 0x8b and 0x9b to the 
> corresponding HTML character entities prior to the submitted comment 
> being saved and displayed. Is this sufficient, or should I be escaping 
> other characters as well?

That is sufficient.

> Second, and more important (because I'm still unclear on this): I'll be 
> accepting URLs submitted with comments (as part of a email/URL text 
> field), and I obviously need to do something with them to avoid XSS 
> problems. The question is, what? I've gotten the impression that url 
> encoding characters like '<' that might appear in submitted URLs is not 
> a total solution, and that retaining characters like '<' in the URL, 
> even in encoded form, could be a problem.

In encoded form, they should be safe.

In fact, assuming that your HTML delimits the href="" with double 
quotes, you can simply escape double quotes to %XX and that _should_ be 
sufficient.

Gerv
Permalink | Reply | 1 comment |
headers
Frank Hecker | 19 Sep 2005 17:33

Re: Tips on server-side URL sanitizing?

Thanks for the info!

Frank

--

-- 
Frank Hecker
hecker <at> hecker.org
Permalink | Reply | 0 comments |
headers
Brian Lindquist | 21 Sep 2005 10:24

Solution for FF vulns

Hire a few hackers, in order to determine the persons skills just setup up a 
server and let everyone "go at it".

Seems logical...of course the question remains, can you trust them?
Permalink | Reply | 0 comments |

Gmane