W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Security considerations for DNS rebinding

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 10 Feb 2010 00:03:34 -0800
Message-ID: <7789133a1002100003y7605ac05r39ed3f84fc3adf2b@mail.gmail.com>
To: Amit Klein <aksecurity@gmail.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Tim <tim-projects@sentinelchicken.org>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Feb 9, 2010 at 11:56 PM, Amit Klein <aksecurity@gmail.com> wrote:
> On Tue, Feb 9, 2010 at 9:14 PM, Adam Barth <w3c@adambarth.com> wrote:
>>> I see some specific IE vulnerabilities cited here which allow the Host header to be forged via request splitting over a proxy: <http://www.securityfocus.com/archive/1/411585> It also cites some old Mozilla bugs that enabled header injection. And also some Flash vulnerabilities
>>> Do these vulnerabilities or any similar ones still exist in current versions of browsers or in Flash?
>> Not that I'm aware of.  Put another way, all the user agents that have
>> those vulnerabilities also have known arbitrary code execution
>> vulnerabilities, so it's not really worth worrying about.
> I don't want to split hairs here, but the fact that browsers had
> remote command execution bugs (which were probably fixed) doesn't mean
> that the less critical issue of Host header forging was addressed.

Indeed.  What I meant is that all the versions of user agents that I
know of that are vulnerable to Host header spoofing are also
vulnerable to arbitrary code execution, which trumps host header
checking.  :)

> Anyway, was http://www.securityfocus.com/archive/1/466906 ever addressed in IE?

I believe so.

The integrity of the Host header appears to be a security property
user agent vendors are willing to ensure by providing security updates
when they notice violations.  In this business, that's the best we can
hope for.

Received on Wednesday, 10 February 2010 08:04:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC