Re: SVG 1.2 Comment: B.2.3 Socket Connections from Peter Sorotokin on 2004-11-01 (www-svg@w3.org from November 2004)

From: Peter Sorotokin <psorotok@adobe.com>
Date: Mon, 01 Nov 2004 13:51:39 -0800
To: Ian Hickson <ian@hixie.ch>
Cc: www-svg@w3.org
Message-id: <5.2.0.9.2.20041101134200.055c9ff8@mailsj-v1.corp.adobe.com>

At 09:08 PM 11/1/2004 +0000, Ian Hickson wrote:
>On Mon, 1 Nov 2004, Peter Sorotokin wrote:
> > >
> > > Allowing arbitrary socket connections is either very dangerous, or of
> > > limited use, depending on the security restrictions. If it is allowed
> > > for any host, it can be used for sending spam. If it is allowed only
> > > for the originating host, it can be used to perform attacks from HTTP
> > > ports to HTTPS ports (as noted in the previous section).
> >
> > Please explain how exactly attack from HTTP to HTTPS can be done with
> > the socket interface.
>
>The same attack as described in the previous section.

I do not see how it is possible. Suppose you even write your own HTTPS 
stack. You open connection to HTTPS port and than what? Unlike URLRequest 
you don't have any access to a session-specific information, so how you 
spoof the identity? Maybe there is a way, but I do not see any.


>A more serious attack would be for untrusted injected script to make a
>direct connection to port 25 (SMTP). That would allow spam to be sent from
>client machines. Since the interfaces would be available to any script in
>UAs that implement SVG (not just in SVG drawings, which are very rare and
>thus less of an attack vector), this would basically mean that any HTML
>site that can be attacked via script injection (which is a lot of them)
>goes from being subject to cross-domain attacks (rarely a major problem on
>such insecure sites) to being a potential spam relay point (very bad).

How it is different than, say, Java applets? Also, note that you rely on 
two other unplugged holes for this attack to work, namely script injection 
and unprotected mail server access. If there is an open mailserver out 
there it can be used to send spam without any intermediaries.

Peter


>--
>Ian Hickson               U+1047E                )\._.,--....,'``.    fL
>http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
>Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 1 November 2004 21:52:04 UTC