[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gauntlet-user
Subject:    Active content passing "deny-feature"
From:       Ejnar Zacho Rath <ezr () md-oss ! dk>
Date:       1999-01-21 15:41:03
[Download RAW message or body]

One of my users has showed me that he can get www pages with active
content through our Gauntlet though we are using a 
deny-feature script java activex
statement in our netperm-table.

It looks as if the trick is to have the active content in pages with
names ending in something else than .htm, .html, or ?  You can see an
example on http://home12.inet.tele.dk/dko/index.htm.txt (in danish,
sorry).

The user claims that this "feature" only works on MSIE 4.x and Netscape
ver. (4 ?)

Any suggestions to block this hole ?

The Gauntlet is 4.1 on Solaris 2.5.1.

Best regards,
-- 
Ejnar Zacho Rath,           | Out of the midst of the gloom came a
Maersk Data AS, Postbox 176,| voice: Smile, for things could be worse.
DK-5100  Odense C, Denmark  | So I smiled and lo, behold,
e-mail: ezr@md-oss.dk       | things did get worse.

[prev in list] [next in list] [prev in thread] [next in thread]