Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest

[Michal Zalewski <lcamtuf () dione ids pl>]

On Sun, 4 Feb 2007, Tyop? wrote:

> > This is getting depressing. May 2006.
> but not really surprising, yes?

No, though this bug is truly remarkable in that a quick fix, I'm quite
certain, amounts to changing "!= ' '" to "> ' '" in the code.

That's two characters, and no chance for a negative impact on any
legitimate application, simply no way.

Oh, and actually,did I say May? It gets even better!

If you look at that paper, Amit initially noticed that \n and \t are not
filtered in September 2005 (17 months ago), and described it as a referrer
spoofing bug (granted, not an earth-shattering discovery).

He then followed up in May 2006 demonstrating how this can be used to do
local cache poisoning, which is kinda more problematic.

It's February 2007, the attack can be obviously used to do a really nasty
interactive firewall bypass attack in corporate environments - so... ugh.

At least they managed to fix it in IE7's new native XMLHttpRequest code,
which I bet happened by accident.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/