- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 17 Apr 2006 21:44:32 +0000 (UTC)
- To: Alex Russell <alex@dojotoolkit.org>
- Cc: public-webapi@w3.org
On Fri, 14 Apr 2006, Alex Russell wrote: > > On Tuesday 11 April 2006 1:37 pm, Ian Hickson wrote: > > On Tue, 11 Apr 2006, Maciej Stachowiak wrote: > > > So, in itself, that might not be too bad an exploit. You can't get > > > the Cookie or Authorization header, or document.cookie, so even if > > > you find such a test script on a live server where users have login > > > accounts. However, suppose there's a test script that also echoes > > > back all the headers it sends in the body, some kind of debug mode > > > maybe. Now you have something exploitable. > > > > Your script is getting somewhat complex now -- it needs to take GET > > query parameters and convert them into HTTP headers and to echo all > > its headers into the body as well. Does this ever happen? I've > > written echo scripts myself but I can't think of any that are > > vulnerable here. > > Perhaps not on their own, but attacks like "response splitting" which > tends to affect poorly written proxies could easily induce this > scenario. Granted, but in that case the script is already very vulnerable to all kinds of attacks today (e.g. cookie stuffing, XSS) and a cross-site read will be the least of its problems. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 17 April 2006 21:44:40 UTC