Full Disclosure mailing list archives
Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Sun, 4 Feb 2007 02:18:02 +0100 (CET)
On Sun, 4 Feb 2007, Tyop? wrote:
This is getting depressing. May 2006.but not really surprising, yes?
No, though this bug is truly remarkable in that a quick fix, I'm quite certain, amounts to changing "!= ' '" to "> ' '" in the code. That's two characters, and no chance for a negative impact on any legitimate application, simply no way. Oh, and actually,did I say May? It gets even better! If you look at that paper, Amit initially noticed that \n and \t are not filtered in September 2005 (17 months ago), and described it as a referrer spoofing bug (granted, not an earth-shattering discovery). He then followed up in May 2006 demonstrating how this can be used to do local cache poisoning, which is kinda more problematic. It's February 2007, the attack can be obviously used to do a really nasty interactive firewall bypass attack in corporate environments - so... ugh. At least they managed to fix it in IE7's new native XMLHttpRequest code, which I bet happened by accident. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Michal Zalewski (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Michal Zalewski (Feb 03)
- Message not available
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Tyop? (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Michal Zalewski (Feb 03)
- Message not available
- Message not available
- Fwd: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Giorgio Fedon (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Michal Zalewski (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest James Matthews (Feb 03)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Amit Klein (Feb 04)
- Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest Troy Cregger (Feb 05)