Re: SVG 1.2 Comment: B.2.3 Socket Connections from Ian Hickson on 2004-11-04 (www-svg@w3.org from November 2004)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 4 Nov 2004 00:52:40 +0000 (UTC)
To: Peter Sorotokin <psorotok@adobe.com>
Cc: www-svg@w3.org
Message-ID: <Pine.LNX.4.61.0411040046380.26363@dhalsim.dreamhost.com>

On Mon, 1 Nov 2004, Peter Sorotokin wrote:
> > >
> > > Please explain how exactly attack from HTTP to HTTPS can be done 
> > > with the socket interface.
> > 
> > The same attack as described in the previous section.
> 
> I do not see how it is possible. Suppose you even write your own HTTPS 
> stack. You open connection to HTTPS port and than what? Unlike 
> URLRequest you don't have any access to a session-specific information, 
> so how you spoof the identity? Maybe there is a way, but I do not see 
> any.

Fair enough.


> > A more serious attack would be for untrusted injected script to make a 
> > direct connection to port 25 (SMTP). That would allow spam to be sent 
> > from client machines. Since the interfaces would be available to any 
> > script in UAs that implement SVG (not just in SVG drawings, which are 
> > very rare and thus less of an attack vector), this would basically 
> > mean that any HTML site that can be attacked via script injection 
> > (which is a lot of them) goes from being subject to cross-domain 
> > attacks (rarely a major problem on such insecure sites) to being a 
> > potential spam relay point (very bad).
> 
> How it is different than, say, Java applets?

It isn't. Java applets are not trusted, and require the user to agree to 
running them in most secure UAs.


> Also, note that you rely on two other unplugged holes for this attack to 
> work, namely script injection and unprotected mail server access.

This is quite common. It was such a problem with HTML a few years back 
that secure UAs now white-list what ports you can do form submissions to.


> If there is an open mailserver out there it can be used to send spam 
> without any intermediaries.

Typically, such use would be detected and blocked quickly. However, if 
many different IPs each send one message, the server is much less likely 
to spot the problem.

Like I said, this actually affected Web browsers a few years back. Now you 
can only access certain ports (80, 8080, 443, and a few others that are 
sometimes used for Web servers).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 4 November 2004 00:52:42 UTC