Bugtraq mailing list archives
Re: 'cross site scripting' CERT advisory and MS
From: marcs () ZNEP COM (Marc Slemko)
Date: Fri, 11 Feb 2000 16:39:02 -0700
On Thu, 10 Feb 2000, David LeBlanc wrote:
After a bit of dinking in vi, I removed the HTML, AND got it properly indented for response, so...Mark Slemko wrote:2. Do not use a mail reader that forces you to display HTML messages.Using something like Outlook Express is very dangerous, since it means that you can be exploited if an email message arrives in your inbox and is displayed.This is overkill. The problem is scripting, not HTML, which are really seperate issues.
NO! NO! NO! I don't know how many times I have to say this: the problem is not just with scripting languages. Baming them there silly scripting languages is missing the whole point. Yes, most exploits would probably use scripting. But that is simply because scripting languages offer fairly complete control over a browser. A lot of that control can be obtained just by injecting HTML or making requests. For example, suppose that a server sets a cookie that it then users later to display information to the client. Say you can store the javascript within this cookie. Then simply having you make a single request to the server with the right URL could result in it setting a cookie that will stick around when you come back later. I have seen an example of this (not sending it via email though) on a real, fairly major web page and it is pretty convincing. Even when you close your browser, if the cookie sticks around (as it normally would), then going back to the site "normally" later will still give you altered content. Yes, for this example you can disable cookies when reading mail, and should anyway for other reasons. But what other ways are there to do things? I don't know. I do know that things are complex enough that I'm quite unwilling to say that disabling cookies and scripts will leave you "safe". While obviously following a link from an email, clicking on a button, doing anything on a site that appears (ie. that the URL is correct) to be a real site can be dangerous, that is a different issue. Also note that if there is any way to get Outlook Express to open a new IE window with a document in automatically when it loads an email, then you would be vulnerable if you only disabled scripting, etc. for mail and not for "normal" web access. Is there a way to do this? I don't know of any. But again, things are complex enough that I'm quite unwilling to say there is no way to do it. So while disabling all the "features" that you can when reading HTML mail is definitely recommended and protects you against a lot of attacks, it is not a complete solution. I seriously doubt that all the ways of exploiting this issue without using scripting languages have been discovered. Not that I have seen anyone publicly posting exploits that do things in any of these ways (or any other way...), which I find odd, since there are lots of vulnerable sites out there, and some vulnerabilities that are pretty serious.
Current thread:
- UPDATE: Sygate 3.11 Port 7323 Telnet Hole, (continued)
- UPDATE: Sygate 3.11 Port 7323 Telnet Hole jalerta () nestworks com (Feb 03)
- Re: Evil Cookies. Joachim Feise (Feb 03)
- Re: Evil Cookies. Jon Paul, Nollmann (Feb 05)
- Reminder: BOF on Distributed DoS, San Jose 2/7/00 David Kennedy CISSP (Feb 06)
- Infosec.20000207.axis700.a Vitek, Ian (Feb 07)
- Re: Evil Cookies. Thomas Reinke (Feb 04)
- Re: Evil Cookies. Dylan Griffiths (Feb 07)
- 'cross site scripting' CERT advisory and MS Eric Lecht (Feb 08)
- Re: 'cross site scripting' CERT advisory and MS Dustin Miller (Feb 09)
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 10)
- Re: 'cross site scripting' CERT advisory and MS Marc Slemko (Feb 11)
- Re: 'cross site scripting' CERT advisory and MS Rishi Lee Khan (Feb 14)
- Packet Tracing (linux klog patch) Dragos Ruiu (Feb 12)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 15)
- Re: Packet Tracing (linux klog patch) Dragos Ruiu (Feb 17)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 17)
- crash windows boxes on your local network (twinge.c) sinkhole () NILL NET (Feb 10)
- Re: crash windows boxes on your local network (twinge.c) Elias Levy (Feb 14)
- DDOS Attack Mitigation Elias Levy (Feb 11)
- TESO - Nameserver traffic amplify and NS route discovery Sebastian (Feb 12)
- Re: DDOS Attack Mitigation Darren Reed (Feb 13)
