Wednesday's CERT advisory CA-2000-02 "Malicious HTML Tags Embedded in Client Web Requests" has received some attention in the mass media. This is very appropriate due to the importance of the reported problem. However, many media reports have contained a number of innacuracies about the nature, scope, and impact of the problem. This post is intended to clear up a number of misconceptions about what the problem is and what the impact is. For the full details, including an enumeration of a number of possible attack scenarios, the CERT advisory should be read in its entirety. Misconception #1: This is a single bug or problem The CERT advisory warns of an entire class of attacks. Every web site that offers more than simple unchanging HTML pages is potentially at risk. This means every e-commerce site, every auction site, every web based mail site, etc. Any software that can understand and interpret URLs and HTML, and communicates with the outside world is also potentially at risk. Misconception #2: This problem is "new" Security experts and hackers have been aware of the ability to exploit these problems for a long time, but creators of web sites and web-enabled software have for the most part not paid adequate attention to these problems. CERT's motivation appears to be to raise awareness of these significant dangers in the hopes that future and existing systems will be (re-)engineered with these problems in mind. Misconception #3: This problem has never been exploited by hackers. Many of the problems with Microsoft's hotmail have been due to attacks which fall within the range of this security advisor, as does the eBayla attack on eBay. Misconception #4: The potential damage from these attacks is minimal. While scripting languages have very limited ability to take actions that can lead to security compromises in the traditional sense, they allow for a wide range of new attacks that can be equally devastating to a host system or company. Most attacks involving scripts lead to the loss or alteration of protected, valuable or sensitive information like credit card numbers, customer information, passwords, or even the contents of entire pages on private intranets. If this information can be easily accessed or manipulated there often no longer is any need to break into or gain administrative access to the machine. The critical function of the server, which is its ability to protect and process sensitive or valuable information, has already been compromised. Tim Hollebeek Reliable Software Technologies
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:34 PDT