Bugtraq mailing list archives
Re: Hotmail security hole - injecting JavaScript using <IMG
From: ajax () LINWORTH ORG (Ajax)
Date: Tue, 11 Jan 2000 11:48:33 -0500
In my dream world, languages like HTML would be required by their own bylaws to explicitly enumerate at least the most blatantly insecure features. There *ought* to be a list somewhere of what tags can have javascript as a value, maintained by whichever authority is in charge of determining such things. Granted this only reduces the (potential) vulnerability to a race condition -- between the updating of the standard and the updating of site filters -- but it's probably as good as we can hope to get.No, it is not. Why are everybody missing the obvious here? It is TRIVIAL to make filters not have these kinds of security problems. The clue is that any security filter MUST default to *D E N Y*, not pass. Any security filter that denies 'bad' stuff and passes everything else is BROKEN. None of these problems would have occurred if MS had stuck to this trivial basic of secure systems design. Eivind.
I'm gonna say that this is untrue for HTML. The language simply moves too much. If some tag, previously thought safe, becomes extended by a particular browser or the language specification itself, then until the filter is updated a potential vulnerability exists. Think of it this way: imagine .forward files didn't have the ability to point to a pipeline, only another email address. You might have a script in place to verify the listed addresses, but other than that... Now imagine we put that functionality back; all of a sudden, your filter is no longer adequate, and it must be updated. Now obviously this overlooks the fact that pipelines and simple addresses have different syntaxes, but I believe the point is made. Obviously a filter designed for one application or even one version of a language will *not* be appropriate for anything else. I don't apply javascript filters to perl scripts the same way I don't filter water with the screen from my front door. I'll even go so far as to suggest that the fact that we're even *dealing* with a versioned language suggests the logical improbability of secure design. Which leads me back to my original assertion: either we come up with a fix for the language, invent a replacement, or engage in the current scrambles at every revision. This last is a race we cannot hope to keep winning, particularly when we aren't even on the ball currently. .a.j.a.x. @ vxgas.linworth.org "You can run Java applets from anyone, anywhere, in complete safety" - Charles L. Perkins, "Teach Yourself Java in 21 Days" 11:26AM up 104 days, 4:28, 2 users, load averages: 0.09, 0.08, 0.08
Current thread:
- Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x, (continued)
- Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
- *BSD procfs vulnerability FEAR Advisories (Jan 21)
- Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
- stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Vanja Hrustic (Jan 22)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Markus Hofmann (Jan 22)
- Administrivia Elias Levy (Jan 18)
- Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
- ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
- Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
- secure-programs howto Signal 11 (Jan 09)
- strace can lie ... but LTT might be handy Karim Yaghmour (Jan 09)
- 2nd attempt: AIX techlibss follows links Klaus.Kusche () OOE GV AT (Jan 10)
- NIS2k Bacano (Jan 11)
- Password issue in Axent ESM 5.0.1 Console Todd (Jan 12)
- Re: Password issue in Axent ESM 5.0.1 Console Scott Blake (Jan 14)
- Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x Ussr Labs (Jan 13)
- Re: NIS2k Brad Griffin (Jan 13)
- Misleading sense of security in Netscape Craig Ruefenacht (Jan 13)