> The interesting part of this bug is the fact that its exploitable on some > very large sites, and is open to a large number of users. Bulletin boards in > particular allow inline image posting, and this is what creates the > problem...inline images in a system with cookie based authentication. One system that has been entirely ignored in the conversation thus far is webmail services. Many webmail clients inline HTML parts leaving themselves susceptible to attack. More importantly, systems that provide single sign on to several services through cookie based systems (i.e. a portal) make themselves even more vulnerable. Imagine a portal with webmail. A user receives an inlined image which has it's source URL pointing to some service on that portal's network. That request is now authorized as far as the portal's concerned. Even if the mail application is secure from attack, there's no guarantee that all other services on the portal network are secure. > This technique has more issues than just false authentication, though, and > could possibly be used towards distributed DoS type attacks. Some forums > have 50k+ users, and each user who viewed a certain thread could be > accessing some resource intensive script on a remote server. If posted on > several highly trafficed forums, the victimized server would go down in no > time. The DoS attack is actually much worse than it sounds. Imagine posting an HTML message with an image tag to a newsgroup, instead of a web forum, with heavy traffic (some porn images group). If the image tag had it's source pointing to a common URL, it could quickly bring that site down due to the volume of people downloading the message from the newsgroup and referencing the image tag contained within. Ryan Kennedy
This archive was generated by hypermail 2b30 : Sat Jun 16 2001 - 10:20:18 PDT