lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0702040204590.30846@dione>
Date: Sun, 4 Feb 2007 02:18:02 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: Tyop? <tyoptyop@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Web 2.0 backdoors made easy with MSIE &
 XMLHttpRequest

On Sun, 4 Feb 2007, Tyop? wrote:

>> This is getting depressing. May 2006.
> but not really surprising, yes?

No, though this bug is truly remarkable in that a quick fix, I'm quite
certain, amounts to changing "!= ' '" to "> ' '" in the code.

That's two characters, and no chance for a negative impact on any
legitimate application, simply no way.

Oh, and actually,did I say May? It gets even better!

If you look at that paper, Amit initially noticed that \n and \t are not
filtered in September 2005 (17 months ago), and described it as a referrer
spoofing bug (granted, not an earth-shattering discovery).

He then followed up in May 2006 demonstrating how this can be used to do
local cache poisoning, which is kinda more problematic.

It's February 2007, the attack can be obviously used to do a really nasty
interactive firewall bypass attack in corporate environments - so... ugh.

At least they managed to fix it in IE7's new native XMLHttpRequest code,
which I bet happened by accident.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ