[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] Re: [ViewCVS-dev] Re: Cross-Site Scripting of CVS syt
|
From: |
Greg Stein |
|
Subject: |
[Savannah-hackers] Re: [ViewCVS-dev] Re: Cross-Site Scripting of CVS sytem |
|
Date: |
Wed, 27 Mar 2002 04:30:35 -0800 |
|
User-agent: |
Mutt/1.2i |
On Wed, Mar 27, 2002 at 07:17:18PM +0900, office wrote:
>...
> On Tue, 26 Mar 2002 23:18:57 +0100 "Lucas Bruand" <address@hidden> wrote:
> > As far as I can tell, this is javascript; What can you hurt except yourself
> > ?
>
> !!
>
> Do you have EVER read bugtraq?
> Or do you have ever read about cross-site scripting?
>
> O.K. Watch this URL
> http://www.cert.org/advisories/CA-2000-02.html
> If you cannot understand this, I will stop to think you are a hacker.
There is absolutely no call to be insulting.
> Hey, can any person help Lucas Bruand?
Yes. *YOU* can help. Explain the problem rather than implying any lack of
ability on Lucas' behalf. Lucas has constructively contributed to the
ViewCVS project. Quite a lot (tparse, vclib, etc). You could do the same by
explaining the problem in more detail to the people that don't understand it
as well as you.
For example, C-SS issues generally arise from accepting user input, not
validating it, storing it for later use, and then presenting that to *other*
users. The typical example is the first user entering some Javascript which
is then transmitted to the second user, where it is then run. The JS code
can then extract information from that second user and deliver it to the
first.
This typical occurs with comment-entry types of systems. If those comments
are not filtered for "bad" content, or are presented to other users without
any checks, then the bad code can be passed along.
*However*, your code does not exhibit any of the typical characteristics of
a C-SS problem. If a user types in a bad URL, thus causing Javascript to be
executed on their *own* machine, then nothing bad has happened. The user
caused it themselves.
If you then take the position that a malicious user can feed a bad URL to a
victim, then you must ask, "how will that URL be sent to them?" If it is in
an email, then they'll see the problems and will avoid it. If the URL is
hidden within an HTML page, then why doesn't the malicious person simply put
the offending Javascript right in that page? Why use a ViewCVS URL to attack
the user? They've already got the capability to transmit Javascript to the
user, via their own page.
So what I'd be interested in, is a clarification on how javascript embedded
within the URL can be used as an attack method on a victim.
I *do* know that ViewCVS won't allow incoming parameters to attack the
target system in any way. I'm not worried about that. But using it to attack
other users is something that hasn't been examined. Your assistance in
clarifying that will be welcome.
Cheers,
-g
--
Greg Stein, http://www.lyra.org/