W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR] XMLHttpRequest specification lacks security considerations

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Wed, 10 Feb 2010 18:21:58 -0500
Message-ID: <7c2a12e21002101521q3ae7ad2ci652872b1ab1a7fc3@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>, Bil Corry <bil@corry.biz>
Cc: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Thomas Roessler <tlr@w3.org>, W3C WebApps WG <public-webapps@w3.org>, public-web-security@w3.org
On Tue, Feb 9, 2010 at 2:50 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> A sever can generally determine the domain name of the host it is running on from the operating system, if it wants to run with zero configuration. That is apparently what Apache does:
>
> http://httpd.apache.org/docs/1.3/mod/core.html#servername

That link says "this may not work reliably, or may not return the
preferred hostname."  *If* server implementers would be willing to
have their servers refuse to work unless explicitly configured or the
request host matches reverse DNS/OS hostname, then I agree as a web
developer that that would be great.

On Wed, Feb 10, 2010 at 4:37 AM, Bil Corry <bil@corry.biz> wrote:
> Another threat is an attacker crafting a malicious payload in the Host header, hoping that it gets logged then viewed via a web browser.

That's just straight XSS.

> And some webapps conditionally show debugging information based on the host header, so that the production hostname has a generic error page and the staging hostname produces a full stack trace.  Simply forging the host header allows an attacker to view the full debugging information.

I'd be surprised if this were common enough to be worth worrying about.
Received on Wednesday, 10 February 2010 23:22:33 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:37 GMT