Bugtraq mailing list archives
Re: Fwd: CERT Advisory CA-2000-02
From: marcs () ZNEP COM (Marc Slemko)
Date: Thu, 3 Feb 2000 14:29:23 -0700
-----BEGIN PGP SIGNED MESSAGE----- On Thu, 3 Feb 2000 Shockro () AOL COM wrote:
I'm curious as to how this could be used in a malicious manner, as opposed to just being an annoyance. I mean, god forbid, people should execute arbitrary javascript on us. Yes, we've all seen the file upload form exploit and the 1001 ways to crash Internet Explorer through infinite loops, but there's nothing seriously harmful about this, am I right? Please correct me if I'm wrong.
You are completely wrong. Please go through the full text of the CERT advisory, and the info in the Apache and (in particular) Microsoft web sites. This is a problem because it breaks some of the sites specific barriers. A very simple example is that this could be used to steal someone's cookie, which may be what is used to authenticate them. The problem is a very broad one, however, with a huge number of specific instances, most of which have probably not been discovered. It also goes beyond just javascript, since javascript is not necessary to exploit this in certain ways. Again, this is not a javascript problem. This is also not just the same old "if user B submits something to a site that is then shown to user A, you have to filter or encode it" problem. This is "if user A submits something to a site that is sent back unfiltered and unencoded to user A, then you have a security problem". Yes, this is a new issue. Well, the components of it are (mostly) nothing new, but putting them together is. Also note that filtering or encoding things is not as easy as you may think. There are far too many very annoying things, including characterset issues and browser specific extensions. - From my brief survey last week, most of the top commerce sites are vulnerable to some degree (if it can be exploited to any dangerous effect, however, is another issue) and most webserver products are vulnerable themselves; Apache's vulnerabilities are among the less serious compared to a number of other products. Even some products where the vendor has released a statement saying "no problems" have obvious problems. Don't start thinking this is just a vendor problem though; the real issue with this problem is that fixing it requires a site fix all their locally created dynamic content. - -- Marc Slemko | Apache Software Foundation member marcs () znep com | marc () apache org -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOJnzNVQv/g4Arev1AQE2VwP+Npc1Aa9tmyb/4KbjyxCFn879h7bCLZkq WblwHPocOuW1oiS38ejdqf6V4nn4qSUXjzmhwRK8ZsC15v9dVE3ZaEfwh4Rkd6JK VpgRdbgI6KcTkWI7ceNNWbu4AsE5t3MJ08RQD9bwr+C6MVj6zby3gyNtNbt16Itl +0hcVca/F8Y= =78Oq -----END PGP SIGNATURE-----
Current thread:
- Re: Bypass Virus Checking, (continued)
- Re: Bypass Virus Checking Max Vision (Jan 31)
- Re: Bypass Virus Checking Martin Bene (Feb 02)
- Re: Bypass Virus Checking Bacano (Feb 01)
- Re: Bypass Virus Checking Brad Griffin (Feb 01)
- Re: Bypass Virus Checking Vladimir Dubrovin (Feb 02)
- Re: Bypass Virus Checking Brock Sides (Feb 01)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Fwd: CERT Advisory CA-2000-02 fury (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Henrik Nordstrom (Feb 05)
- Re: Fwd: CERT Advisory CA-2000-02 Byron Alley (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Len Budney (Feb 08)
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Bypass Virus Checking Max Vision (Jan 31)
- Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)
- recent 'cross site scripting' CERT advisory Tim Hollebeek (Feb 04)
- Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
- Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)