Dailydave mailing list archives
US-CERT: SSL VPNS for fun and profit.
From: dave <dave () immunityinc com>
Date: Tue, 01 Dec 2009 11:35:45 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.kb.cert.org/vuls/id/261869 """ Clientless SSL VPN products break web browser domain-based security models Overview Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks. ... This issue was discovered by David Warren and Ryan Giobbi. Much of the original research into this issue was done by Michal Zalewski. <--good thing you don't live in France! :> """ The funny thing with these products (as we've seen them here) is they work as if they are accessing only one security domain. So you pretty much need to lock them down JUST to your OWA site. If you let them access your whole intranet, you've "mitigated" a lot of risk, but you've reduced your intranet to a single "completely trusted" zone. Which may be "as intended" but it's probably not. And of course, Javascript does not end your problems. Some of them also parse (and attempt to sanitize) Java applets, Flash, etc. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAksVReEACgkQtehAhL0gheqLSQCfSqGpyFojyUJrhq6uu9YaKZTG 30IAnjI264xuDpnAWayoTlaxl+oJ6FZN =hWb2 -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- US-CERT: SSL VPNS for fun and profit. dave (Dec 01)
- Re: US-CERT: SSL VPNS for fun and profit. Michal Zalewski (Dec 01)