- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 14 May 2008 22:47:11 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Wed, 14 May 2008, Jonas Sicking wrote: > > However, apparently there are servers out there that canonicalize URIs > differently from rfc2396 by treating "\" characters as path separators. > An attacker can use this to attack a server configured as above. > > It first sends a POST to "/apis", this makes the UA cache the above > policy for 10h. It then sends a POST to "/apis/..\admin.cgi" > > To a UA it looks like this is a POST to the file "..\admin.cgi" in the > "apis" directory. However there are apparently servers out there that > will canonicalize the above to /admin.cgi and thus treat it as a POST to > that URI, which may not be safe. Specifically, this is a bug present in IIS. For example: http://www.microsoft.com/windows/products/windowsvista/..\windowsxp\default.mspx ...returns the same content as: http://www.microsoft.com/windows/products/windowsxp/default.mspx This bug is even present if you escape the "\"s and "."s: http://www.microsoft.com/windows/products/windowsvista/%2E%2E%5Cwindowsxp%5Cdefault.mspx > Not really sure how to fix this short of disabling the whole > Access-Control-Policy-Path feature. Especially if we assume that there > are other canonicalization behaviors out there as well. Indeed. It would be sad to lose this, but I don't see a better solution. Maybe we should just put a warning in the spec that if you're using IIS you shouldn't use this feature? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 14 May 2008 22:47:56 UTC