Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

On Wed, 14 May 2008, Jonas Sicking wrote:
> 
> However, apparently there are servers out there that canonicalize URIs 
> differently from rfc2396 by treating "\" characters as path separators. 
> An attacker can use this to attack a server configured as above.
> 
> It first sends a POST to "/apis", this makes the UA cache the above 
> policy for 10h. It then sends a POST to "/apis/..\admin.cgi"
> 
> To a UA it looks like this is a POST to the file "..\admin.cgi" in the 
> "apis" directory. However there are apparently servers out there that 
> will canonicalize the above to /admin.cgi and thus treat it as a POST to 
> that URI, which may not be safe.

Specifically, this is a bug present in IIS. For example:

   http://www.microsoft.com/windows/products/windowsvista/..\windowsxp\default.mspx

...returns the same content as:

   http://www.microsoft.com/windows/products/windowsxp/default.mspx

This bug is even present if you escape the "\"s and "."s:

   http://www.microsoft.com/windows/products/windowsvista/%2E%2E%5Cwindowsxp%5Cdefault.mspx


> Not really sure how to fix this short of disabling the whole 
> Access-Control-Policy-Path feature. Especially if we assume that there 
> are other canonicalization behaviors out there as well.

Indeed. It would be sad to lose this, but I don't see a better solution. 
Maybe we should just put a warning in the spec that if you're using IIS 
you shouldn't use this feature?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 14 May 2008 22:47:56 UTC