Bugtraq mailing list archives
Re: Fwd: CERT Advisory CA-2000-02
From: marcs () ZNEP COM (Marc Slemko)
Date: Thu, 3 Feb 2000 14:29:23 -0700
-----BEGIN PGP SIGNED MESSAGE----- On Thu, 3 Feb 2000 Shockro () AOL COM wrote:
I'm curious as to how this could be used in a malicious manner, as opposed to just being an annoyance. I mean, god forbid, people should execute arbitrary javascript on us. Yes, we've all seen the file upload form exploit and the 1001 ways to crash Internet Explorer through infinite loops, but there's nothing seriously harmful about this, am I right? Please correct me if I'm wrong.
You are completely wrong.
Please go through the full text of the CERT advisory, and the info
in the Apache and (in particular) Microsoft web sites.
This is a problem because it breaks some of the sites specific barriers.
A very simple example is that this could be used to steal someone's cookie,
which may be what is used to authenticate them.
The problem is a very broad one, however, with a huge number of specific
instances, most of which have probably not been discovered. It also
goes beyond just javascript, since javascript is not necessary to
exploit this in certain ways.
Again, this is not a javascript problem. This is also not just the same
old "if user B submits something to a site that is then shown to
user A, you have to filter or encode it" problem. This is "if user
A submits something to a site that is sent back unfiltered and unencoded
to user A, then you have a security problem". Yes, this is a new
issue. Well, the components of it are (mostly) nothing new, but putting
them together is.
Also note that filtering or encoding things is not as easy as you may
think. There are far too many very annoying things, including characterset
issues and browser specific extensions.
- From my brief survey last week, most of the top commerce sites are
vulnerable to some degree (if it can be exploited to any dangerous effect,
however, is another issue) and most webserver products are vulnerable
themselves; Apache's vulnerabilities are among the less serious compared
to a number of other products. Even some products where the vendor has
released a statement saying "no problems" have obvious problems. Don't
start thinking this is just a vendor problem though; the real issue with
this problem is that fixing it requires a site fix all their locally
created dynamic content.
- --
Marc Slemko | Apache Software Foundation member
marcs () znep com | marc () apache org
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBOJnzNVQv/g4Arev1AQE2VwP+Npc1Aa9tmyb/4KbjyxCFn879h7bCLZkq
WblwHPocOuW1oiS38ejdqf6V4nn4qSUXjzmhwRK8ZsC15v9dVE3ZaEfwh4Rkd6JK
VpgRdbgI6KcTkWI7ceNNWbu4AsE5t3MJ08RQD9bwr+C6MVj6zby3gyNtNbt16Itl
+0hcVca/F8Y=
=78Oq
-----END PGP SIGNATURE-----
Current thread:
- Re: Bypass Virus Checking, (continued)
- Re: Bypass Virus Checking Max Vision (Jan 31)
- Re: Bypass Virus Checking Martin Bene (Feb 02)
- Re: Bypass Virus Checking Bacano (Feb 01)
- Re: Bypass Virus Checking Brad Griffin (Feb 01)
- Re: Bypass Virus Checking Vladimir Dubrovin (Feb 02)
- Re: Bypass Virus Checking Brock Sides (Feb 01)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Fwd: CERT Advisory CA-2000-02 fury (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Henrik Nordstrom (Feb 05)
- Re: Fwd: CERT Advisory CA-2000-02 Byron Alley (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Len Budney (Feb 08)
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Bypass Virus Checking Max Vision (Jan 31)
- Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)
- recent 'cross site scripting' CERT advisory Tim Hollebeek (Feb 04)
- Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
- Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
