| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Dec 2007 16:27:28 -0500 (EST) From: "Steven Adair" <steven@...urityzone.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: Google / GMail bug, all accounts vulnerable Glad to see we figured it out. :) Yes, "Cross Site Request Forgery" would be the correct term referenced by the acronym in all of the replies (subsequently also the first result in a normal Google query). I'm still not quite sure what the big deal on the favicon stuff in terms of this issue. So lets say you completely disabled favicons altogether. Now when you visit the original PoC - it no longer works. However, if you simply had a 302 or mod_rewrite rule for any image that you actually had written into the source of your page, you could achieve the same result. Maybe the favicon.ico method is slightly transparent to the user as it's not present when you view the source. However, you could be almost as sneaky by only throwing a redirect to the Google logout page if the referer field includes your root page. Otherwise if the user directly requests it.. it displays a real image. Explain to me what I am missing here. > On Wednesday 12 December 2007 08:05:35 Steven Adair wrote: >> You aren't really able to take action on Google's site per the >> real definition of CSRF. > > CRSF: Canadian Rope Skipping Federation (Google's "I'm feeling lucky") > Center for Research on Sustainable Forests > Canadian Rhodes Scholars Foundation > CReative Santa Fe > Consolidated Rail System Federation > > I keep wondering when people on this thread will discuss the relative > merits > of various rope materials? That is the "real definition" isn't it? ;) > > On a more serious note, I agree with the question; it doesn't sound like a > full cross site request forgery. Still Coderman's reply to your questions > lead me to search for information on the Firefox > "browser.chrome.favicons." > That lead to this bit of information: > > "Caveats > > " * browser.chrome.site_icons must be true for this preference to have > an > effect. > " * Conversely, browser.chrome.site_icons should be false when this > preference is false to disable site icons and favicons completely." > > http://kb.mozillazine.org/Browser.chrome.favicons > > Given Coderman's statement about meeting "fortuitously in a black hat > tryst," > I set both to false. Thanks all for the info. > > And for those people, like myself, who aren't up on all the acronymns, > here is > a link for CRSF: > > https://secure.wikimedia.org/wikipedia/en/wiki/Csrf > > -- > Hawaiian Astronomical Society: http://www.hawastsoc.org > HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists