WebApp Sec mailing list archives
AMD web forums trojaned by WMF exploit
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 31 Jan 2006 13:02:55 -0600
I posted to a few of the lists about WMF and webappsec earlier, thinking there would be more abuse of WMF in webapps on the Internet: AMD was hit by a cross-site-WMF: http://www.f-secure.com/weblog/archives/archive-012006.html#00000795 So there are two issues here. (a) embedding *stuff* cross site, and (b) content type safety. I think this issue relevant to webappsec. Here's why: 1. Input Validation 2. Input Validation We all know the joy of strongly typing data, but how often do we give the same treatment to *content* in binary formats? For example, see just about any web-based DMS that runs on Windows. Why is this? Due to difficulty? I've seen web-based DMS systems on *nix platforms perform basic binary file type validation using utilities like 'file'. Should we not be using content validation libraries to verify our jpgs are really jpgs (and not windows metafiles), our Word docs are word docs, etc. etc. etc.? Seems reasonable that if I want to scrub metacharacters to prevent attackers from XSSing my web-based DMS users, I might want to prevent the ability to launch BoF remote root attacks via embedded content. I would give much higher priority to a remote root BoF (than an XSS), though there are a greater range of mitigating controls available to counter malicious content (e.g.-local AV engines with appropriate signatures, network IPS, etc.). That is my thought for the year. Now I am spent, p.s.--I will be over on the continent a priori the event known as Black Hat and shortly thereafter. If any of you are around Amsterdam Feb 20-something to week of March 5th and would like me to buy you a beer in apology for inane posts, email me and a beer is yours. For social email use my first name at anachronic.com. Arian J. Evans FishNet Security 816.421.6611 [office] 816.701.2045 [direct] <--checked infrequently 888.732.9406 [toll-free] 816.421.6677 [fax] 913.710.7045 [mobile] <--daily/international access aevans () fishnetsecurity com [email] http://www.fishnetsecurity.com ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- AMD web forums trojaned by WMF exploit Evans, Arian (Jan 31)