[WEB4LIB] RE: CERT Advisory CA-2000-02

Andrew Mutch amutch at waterford.lib.mi.us
Thu Feb 3 13:03:49 EST 2000


I think there are 2 important issues:

1) Don't use scripts that fail to protect you or your end-user from malicious
coding.  I've seen sites where the message board has been "hacked" by someone
dropping in some HTML into a message.  In those cases, it was something innocous
like a graphic or colored text.  But, thanks to the swiss cheese security of IE
and Outlook, it wouldn't be too difficult to include a malicious script that
could wreck havoc on an unsuspecting visitor.  What obligation as a site owner
do you have to protect your visitors from such an occurence?

2) As a browser, you need to be aware of the potential dangers of surfing sites
indiscriminately.  The solution may be as simple as boosting the security in
Outlook to prevent malicious code from executing and spamming all of your
friends with junk mail.  Still, people need to be aware that it isn't that
difficult these days to cause trouble.

Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI



"Drew, Bill" wrote:

> How serious is this threat?  Many databases and online catalogs rely on
> scripting and would not be functional without it.  That is not saying that
> they should be using scripts.  It is just a reality.
> -----
> Wilfred (Bill) Drew
> Associate Librarian, Systems and Reference
> SUNY Morrisville College Library
> drewwe at morrisville.edu
> Home: http://www.morrisville.edu/~drewwe
> Not Just Cows: http://www.morrisville.edu/~drewwe/njc/
> Library: http://www.morrisville.edu/library/
> "An egotist is a person of low taste -- more interested in himself than me."
> - Ambrose Bierce



More information about the Web4lib mailing list