Re: [AC] Helping server admins not making mistakes

* Jonas Sicking wrote:
>> Well, let's first be clear about the setup here, to use the PUT example:
>> 
>>          +---------------+                 +------------------+
>>          |   Attacker    |-----------------| Compromised site |
>>          +---------------+                 +------------------+
>>                  |                        /         |
>>             [Can't PUT]    +->> trusts >>+          |
>>                  |        /               \         |
>>          +---------------+                 +------------------+
>>          | Victim server |<---[Can PUT!]---| Privileged User  |
>>          +---------------+                 +------------------+
>> 
>> So the victim server would already be configured to tell Privileged User
>> and Attacker apart, otherwise the attacker could PUT directly and would
>> not care about cross site requests. It can't be enough to compromise the
>> other site as otherwise the attacker could PUT directly aswell (e.g. the
>> site stores username and password in a cookie, attacker reads out cookie
>> and uses them to authenticate with the victim server)
>
>So first off I think a lot of sites are going to "trust" *, so there is 
>no need to compromise a site, just set up your own.
>
>Second, even if you compromise a site, you can only steal the users 
>cookies for *that* site, not the cookies for the victim server.

Quite correct, but you misread if you think I wrote anything to the con-
trary. You also seem to have missed my request for examples for headers
that dramatically alter the server behavior and server setups where it'd
be difficult to prevent the problem you are concerned about. Sharing the
examples would make it easier to see why your proposal must be adopted,
or come up with an alternative.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

Received on Saturday, 31 May 2008 13:07:00 UTC