Re: [AC] Preflight-less POST from Bjoern Hoehrmann on 2008-07-10 (public-webapps@w3.org from July to September 2008)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 10 Jul 2008 15:02:54 +0200
To: Jonas Sicking <jonas@sicking.cc>
Cc: Webapps WG <public-webapps@w3.org>
Message-ID: <l8vb74habbin8t87i55ot8a1979a047dj1@hive.bjoern.hoehrmann.de>

* Jonas Sicking wrote:
>I'm working on this method. I've contacted Adobe since I think flash 
>currently allow cross-site POSTing with arbitrary Content-Types. I've 
>also contacted Microsoft to see if they have gotten any feedback on IE8 
>Beta 1 where XDR allow arbitrary content types to see if they have 
>gotten any feedback there. Silverlight also support this feature.

As I recall, SilverLight 1.x does not support cross-domain requests in
this way, and SilverLight 2.x which is only a Beta at the moment should
require a properly configured clientaccesspolicy.xml or crossdomain.xml
file before doing the POST. Adobe Flash until recently let you freely
do cross domain POST requests with headers largely of your choice, but
that changed when it was pointed out how you can use that to reconfigure
home routers, now setting headers requires a crossdomain.xml file. 

The documentation did not say whether this includes setting the Content-
Type header, so I tried this with a simple script in the latest version
of the plugin for Windows, and e.g.

  var r:URLRequest = new URLRequest('http://192.168.2.1/echo.pl');
  r.method = 'POST';
  r.data = 'Hello World';
  r.contentType = 'application/xml';
  navigateToURL(r, '_self');

works nicely in Firefox 3 (and fails in more secure browsers with zone
restrictions). This naturally does not mean anything if you consider
how the plugin behaved half a year ago, and it would be unsurprising if
Adobe turns this off aswell.

>I'd also like to make a general shout-out here to see how people feel 
>about this, or if they know of any other protocols that send arbitrary 
>Content-Types with cross-site POSTs that we could use to gather data 
>about if this makes sites exploitable.

Some http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/ see
this as a problem, but then some of this is already possible with <form>
as pointed out in the comments. In the end there is no doubt that being
able to do more cross-domain POSTs in more situations than you can right
now will be exploited to compromise systems. Much like systems are being
compromised today with what you can do today.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Thursday, 10 July 2008 13:03:34 UTC