-----BEGIN PGP SIGNED MESSAGE----- On Thu, 3 Feb 2000 Shockroat_private wrote: > I'm curious as to how this could be used in a malicious manner, as opposed to > just being an annoyance. I mean, god forbid, people should execute arbitrary > javascript on us. Yes, we've all seen the file upload form exploit and the > 1001 ways to crash Internet Explorer through infinite loops, but there's > nothing seriously harmful about this, am I right? Please correct me if I'm > wrong. You are completely wrong. Please go through the full text of the CERT advisory, and the info in the Apache and (in particular) Microsoft web sites. This is a problem because it breaks some of the sites specific barriers. A very simple example is that this could be used to steal someone's cookie, which may be what is used to authenticate them. The problem is a very broad one, however, with a huge number of specific instances, most of which have probably not been discovered. It also goes beyond just javascript, since javascript is not necessary to exploit this in certain ways. Again, this is not a javascript problem. This is also not just the same old "if user B submits something to a site that is then shown to user A, you have to filter or encode it" problem. This is "if user A submits something to a site that is sent back unfiltered and unencoded to user A, then you have a security problem". Yes, this is a new issue. Well, the components of it are (mostly) nothing new, but putting them together is. Also note that filtering or encoding things is not as easy as you may think. There are far too many very annoying things, including characterset issues and browser specific extensions. - From my brief survey last week, most of the top commerce sites are vulnerable to some degree (if it can be exploited to any dangerous effect, however, is another issue) and most webserver products are vulnerable themselves; Apache's vulnerabilities are among the less serious compared to a number of other products. Even some products where the vendor has released a statement saying "no problems" have obvious problems. Don't start thinking this is just a vendor problem though; the real issue with this problem is that fixing it requires a site fix all their locally created dynamic content. - -- Marc Slemko | Apache Software Foundation member marcsat_private | marcat_private -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOJnzNVQv/g4Arev1AQE2VwP+Npc1Aa9tmyb/4KbjyxCFn879h7bCLZkq WblwHPocOuW1oiS38ejdqf6V4nn4qSUXjzmhwRK8ZsC15v9dVE3ZaEfwh4Rkd6JK VpgRdbgI6KcTkWI7ceNNWbu4AsE5t3MJ08RQD9bwr+C6MVj6zby3gyNtNbt16Itl +0hcVca/F8Y= =78Oq -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:26 PDT