zope.org has discovered a new client-side security issue that should read by anyone who uses web applications ( including blogger ):

“Imagine you have some kind of system that you administer through a web GUI, such as HotMail, your Netscape Admin server or a site like Zope.org. You get in to work and use this service for a while (check your mail, manage your servers, whatever). For our example, lets say you were using the netscape admin

Later in the day someone sends you an email asking you to look at a web page. You go the page using the browser session where earlier you had logged in to the admin server. However, the page does a redirect to a url of your admin server that causes your main web server to be deleted! The redirect will succeed, as you’ve already logged in to the admin server earlier with sufficient privileges to delete your server.

There are a few variations on this theme, involving JavaScript that can silently submit a hidden form to do the same sort of thing. It appears that most web applications involving authentication are vulnerable to this sort of attack.

Web clients will cache your credentials and send them automatically to a realm that you have visited earlier in the session, which in a stateless system is a reasonable behavior. The problem is that the client is also willing to let almost any page on the Web take actions automatically on your behalf through the use of things like redirects or javascript code. ”

unfortunately, as the article points out, there is no easy ‘solution’. i suppose while i’m standing on the security soapbox, i might as well point out yet another reason to be wary of hotmail

Leave a Reply