WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

AMD web forums trojaned by WMF exploit

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 31 Jan 2006 13:02:55 -0600
I posted to a few of the lists about WMF and webappsec
earlier, thinking there would be more abuse of WMF in
webapps on the Internet:

AMD was hit by a cross-site-WMF:
http://www.f-secure.com/weblog/archives/archive-012006.html#00000795

So there are two issues here. (a) embedding *stuff* cross site,
and (b) content type safety.

I think this issue relevant to webappsec. Here's why:

1. Input Validation
2. Input Validation

We all know the joy of strongly typing data, but how often do we
give the same treatment to *content* in binary formats? For example,
see just about any web-based DMS that runs on Windows.

Why is this? Due to difficulty?

I've seen web-based DMS systems on *nix platforms perform basic binary
file type validation using utilities like 'file'.

Should we not be using content validation libraries to verify
our jpgs are really jpgs (and not windows metafiles), our Word
docs are word docs, etc. etc. etc.?

Seems reasonable that if I want to scrub metacharacters to prevent
attackers from XSSing my web-based DMS users, I might want to prevent
the ability to launch BoF remote root attacks via embedded content.

I would give much higher priority to a remote root BoF (than an XSS),
though there are a greater range of mitigating controls available
to counter malicious content (e.g.-local AV engines with appropriate
signatures, network IPS, etc.).

That is my thought for the year. Now I am spent,

p.s.--I will be over on the continent a priori the event known as Black
Hat and shortly thereafter. If any of you are around Amsterdam Feb 20-something
to week of March 5th and would like me to buy you a beer in apology for
inane posts, email me and a beer is yours.

For social email use my first name at anachronic.com. 

Arian J. Evans
FishNet Security

816.421.6611 [office]
816.701.2045 [direct] <--checked infrequently
888.732.9406 [toll-free]
816.421.6677 [fax]
913.710.7045 [mobile] <--daily/international access
aevans () fishnetsecurity com [email]

http://www.fishnetsecurity.com


-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: