| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 Feb 2007 02:18:02 +0100 (CET) From: Michal Zalewski <lcamtuf@...ne.ids.pl> To: Tyop? <tyoptyop@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest On Sun, 4 Feb 2007, Tyop? wrote: >> This is getting depressing. May 2006. > but not really surprising, yes? No, though this bug is truly remarkable in that a quick fix, I'm quite certain, amounts to changing "!= ' '" to "> ' '" in the code. That's two characters, and no chance for a negative impact on any legitimate application, simply no way. Oh, and actually,did I say May? It gets even better! If you look at that paper, Amit initially noticed that \n and \t are not filtered in September 2005 (17 months ago), and described it as a referrer spoofing bug (granted, not an earth-shattering discovery). He then followed up in May 2006 demonstrating how this can be used to do local cache poisoning, which is kinda more problematic. It's February 2007, the attack can be obviously used to do a really nasty interactive firewall bypass attack in corporate environments - so... ugh. At least they managed to fix it in IE7's new native XMLHttpRequest code, which I bet happened by accident. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists