Bugtraq mailing list archives
Re: common dns misconfiguration can lead to "same site" scripting
From: Florian Weimer <fweimer () bfk de>
Date: Mon, 21 Jan 2008 09:25:08 +0100
* Tavis Ormandy:
Hello, I'd like to document what appears to be a common named misconfiguration that can result in a minor security issue with web applications.
Interesting, thanks. I did some digging because I remembered a rule to put "localhost" nodes into all zones. It turns out that this was once recommended by RFC 1537: | Note that all domains that contain hosts should have a "localhost" A | record in them. That RFC was obsoleted by RFC 1912 in 1996, so there's no RFC conformance issue if you omit the domain names. But it explains why there are so many zones that contain them.
The JavaScript SOP (http://www.mozilla.org/projects/security/components/same-origin.html) does include the port number, where as RFC2109 (http://www.ietf.org/rfc/rfc2109.txt) explicitly does not. This behaviour is arguably incorrect, making it impossible to securely host a website from a multi-user machine, but nevertheless is the case, and is implemented by most major browsers.
A lot of deployed applications (including some of yours) would break if cookies did not allow port switching. -- Florian Weimer <fweimer () bfk de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Current thread:
- common dns misconfiguration can lead to "same site" scripting Tavis Ormandy (Jan 18)
- Re: common dns misconfiguration can lead to "same site" scripting Kurt Grutzmacher (Jan 19)
- Re: common dns misconfiguration can lead to "same site" scripting Florian Weimer (Jan 21)
- Re: common dns misconfiguration can lead to "same site" scripting David Malone (Jan 22)
- Re: common dns misconfiguration can lead to "same site" scripting Florian Weimer (Jan 22)
- Re: common dns misconfiguration can lead to "same site" scripting David Malone (Jan 22)