Vulnerability Development mailing list archives
Re: Netaddress and amexmail
From: marcs () ZNEP COM (Marc Slemko)
Date: Sat, 29 Apr 2000 00:08:37 -0600
On Thu, 27 Apr 2000, Blue Boar wrote:
Fabio Pietrosanti wrote:Does you know the existance of cookie ? :)I think that's the answer in this case. Though, the question is valid. There do exist web services that put everything needed in the URL, so saving the URL will work. Some also have a timeout, so the same URL no longer works 5 minutes later, which could explain a friend not being able to use the URL because time has passed. Those are really dumb, especially for web e-mail. If someone mails you a link, and you click on it, guess what shows up in the site's log as a referer...
In this case, if you look at the options given at login you see that netaddress gives you the choice of using cookies or not. By default, they don't. That has a few implications. First, anyone who can access the service from the same IP address that you can is able to do nasty things. Suppose you use a proxy with world (ie. to anyone with access to that machine) readable logs. You are toast against anyone who can read them and use the proxy machine. Anyone behind one of those evil bogus "transparent caching" so-called HTTP proxies has the problem of "sharing" an IP too. Second, this assumption doesn't always work right because you can't make the assumption that one IP address == one user. And that works both ways; one IP address could be more than one user, one user could have more than one IP during the same session, or both. After you logout or after a timeout, the session is no longer valid. If you use cookies, then the IP address limitation is no longer there. The cookie they use is a 6-character alphabetic key. However, that is still not very secure due to so-called "cross site scripting" (although in this case it is a lot more straightfoward; mail someone something that gets them to send you their cookie, no "cross site" anything). Cookies are not secure and will never be secure. Period. I can guarantee you that with almost any web-based mail sevice, someone can steal your cookies for that service. Netaddress is no exception. Trying to display arbitrary HTML while filtering "unsafe" HTML is really an unsolved, and unsolvable, task. The only way a service can avoid this is by only explicitly allowing through a very limited subset of HTML. This limits functionality quite a bit, but there is no choice if security is a goal. The very fact that Hotmail still has new problems being found every month or so should demonstrate this; if MS can't get it right for IE, no one else has much chance. Hotmail is even worse though, due to its use of Microsoft's passport system. For Netaddress, you are probably safer, in most situations, not using their cookie obvious since it significant decreases security for most people. For most people, the best of both worlds would be cookies combined with an IP address restriction. Not 100%, but stops any random user from exploiting you. Unfortunately, very few, if any, services offer that. The other thing that webmail service should do if they don't want to do it by default is give you the option of having it to "strict HTML filtering". That way maybe some things won't work, but you are a lot more secure. They could then include a "read this insecurely" link if you really think you want to read a message without stripping/encoding any non-trivial HTML. This should be the default setting, but even if they don't make it the default, at least offering it would make life better. Disabling javascript would be a nice option, but unfortunately most web based mail services require that you leave it enabled. Catch-22.
Current thread:
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. LiGHTNiNG (Apr 24)
- Re: Securax Security Advisory: Windows98 contains a seriousbufferoverflow with long filenameextensions. Markus Kern (Apr 25)
- <Possible follow-ups>
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Schockaert, Rudy (Apr 24)
- Netaddress and amexmail Arturo Busleiman (Apr 25)
- Re: Netaddress and amexmail Fabio Pietrosanti (Apr 27)
- Re: Netaddress and amexmail Blue Boar (Apr 27)
- Re: Netaddress and amexmail Marc Slemko (Apr 28)
- Re: Netaddress and amexmail Arturo Busleiman (Apr 28)
- Netaddress and amexmail Arturo Busleiman (Apr 25)
- Re: Netaddress and amexmail Stone (Apr 27)
- Exploit Ease Level Rory Savage (Apr 25)
- Re: Exploit Ease Level Max Vision (Apr 26)
- Re: Exploit Ease Level Rory Savage (Apr 28)
- Using php to bounce scan Thiebaut (Apr 28)
- Re: Using php to bounce scan Omachonu Ogali (Apr 28)
- Re: Using php to bounce scan Thiebaut (Apr 30)
- corrupted link JklojLrnzn () AOL COM (Apr 30)
- Re: Using php to bounce scan Matt Rae (Apr 30)