Full Disclosure mailing list archives
Re: Insecure http pages referencing https form-actions.
From: "fd () ew nsci us" <fd () ew nsci us>
Date: Tue, 9 Aug 2005 18:04:38 -0700 (PDT)
On Tue, 9 Aug 2005 douglas.foster () gmail com wrote:
On 8/9/05, fd () ew nsci us <fd () ew nsci us> wrote:Today I realized that many "secured" web sites reference their secure login page from an insecure page. For example: http://www.some-luser.com/login.html: <form action="https://cgi.some-luser.com/login-cgi"> user: <input name=user> pass: <input name=pass> </form>Could you be mixing up the secure communication of https, with the host security of the server hosting the login page? Anyone who breaks into a https host can alter the page code, just the same as if they broke into a http server. And it only takes a registered domain to receive a https certificate, so not-secure-luser.com would still have a lock at the bottom of the page.
Access to the host which holds the http copy of login.html is not necessary, but would serve similarly. The change of the login page happens with DNS poisoning to point somewhere else, or, by simply changing the content of the http (not https) stream.. Since the page holding login.html is insecure (http), redirecting and/or changing content is trivial. Note that the new action is changed to http://not-secure-luser.com/login-cgi, not https so we don't even need a real certificate. You are correct, there will be no padlock - but it is too late. By the time they realize that the login doesn't give them a secure page, their credentials have been snarfed. In addition, Eve's page http://not-secure-luser.com/login-cgi could spit out something like this: <h1> <!-- Your password is now mine. --> Please wait while you are logged in <!-- where you expected to be ... --> </h1> <form name=foo action="https://cgi.some-luser.com/login-cgi"> <input name=user type=hidden value=$username> <input name=pass type=hidden value=$passwd> </form> <script>document.foo.submit();</script> The victim would then be logged in to where they expected to be, complete with padlock. Except for the extra "please wait" page, this would not be obvious to a user. My issue is with the insecure location of the actual <form> and I have seen many sites which do this (including major financial institutions). Does this help address your question? -Eric -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Insecure http pages referencing https form-actions. fd (Aug 09)
- Re: Insecure http pages referencing https form-actions. Nick FitzGerald (Aug 09)
- Re: Insecure http pages referencing https form-actions. fd (Aug 09)
- Re: Insecure http pages referencing https Jeff Kell (Aug 09)
- Re: Insecure http pages referencing https form-actions. fd (Aug 09)
- Message not available
- Re: Insecure http pages referencing https form-actions. fd () ew nsci us (Aug 09)
- Message not available
- Re: Insecure http pages referencing https form-actions. fd () ew nsci us (Aug 10)
- Re: Insecure http pages referencing https form-actions. fd () ew nsci us (Aug 09)
- Re: Insecure http pages referencing https form-actions. Nick FitzGerald (Aug 09)
- RE: Insecure http pages referencing httpsform-actions. Aditya Deshmukh (Aug 09)
- Re: Insecure http pages referencing https form-actions. Leandro Meiners (Aug 10)