US-CERT: SSL VPNS for fun and profit.

[dave <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.kb.cert.org/vuls/id/261869
"""
Clientless SSL VPN products break web browser domain-based security models

Overview

Clientless SSL VPN products from multiple vendors operate in a way that
breaks fundamental browser security mechanisms. An attacker could use
these devices to bypass authentication or conduct other web-based attacks.
...
This issue was discovered by David Warren and Ryan Giobbi. Much of the
original research into this issue was done by Michal Zalewski. <--good
thing you don't live in France! :>
"""

The funny thing with these products (as we've seen them here) is they
work as if they are accessing only one security domain. So you pretty
much need to lock them down JUST to your OWA site. If you let them
access your whole intranet, you've "mitigated" a lot of risk, but you've
reduced your intranet to a single "completely trusted" zone. Which may
be "as intended" but it's probably not.

And of course, Javascript does not end your problems. Some of them also
parse (and attempt to sanitize) Java applets, Flash, etc.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAksVReEACgkQtehAhL0gheqLSQCfSqGpyFojyUJrhq6uu9YaKZTG
30IAnjI264xuDpnAWayoTlaxl+oJ6FZN
=hWb2
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave