lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <82wsq3shzv.fsf@mid.bfk.de>
Date: Mon, 21 Jan 2008 09:25:08 +0100
From: Florian Weimer <fweimer@....de>
To: Tavis Ormandy <taviso@....lonestar.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: common dns misconfiguration can lead to "same site" scripting

* Tavis Ormandy:

> Hello, I'd like to document what appears to be a common named
> misconfiguration that can result in a minor security issue with web
> applications.

Interesting, thanks.

I did some digging because I remembered a rule to put "localhost"
nodes into all zones.  It turns out that this was once recommended by
RFC 1537:

| Note that all domains that contain hosts should have a "localhost" A
| record in them.

That RFC was obsoleted by RFC 1912 in 1996, so there's no RFC
conformance issue if you omit the domain names.  But it explains why
there are so many zones that contain them.

> The JavaScript SOP
> (http://www.mozilla.org/projects/security/components/same-origin.html)
> does include the port number, where as RFC2109
> (http://www.ietf.org/rfc/rfc2109.txt) explicitly does not. This
> behaviour is arguably incorrect, making it impossible to securely
> host a website from a multi-user machine, but nevertheless is the
> case, and is implemented by most major browsers.

A lot of deployed applications (including some of yours) would break
if cookies did not allow port switching.

-- 
Florian Weimer                <fweimer@....de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ