- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 03 Aug 2011 11:24:24 -0400
- To: public-webapps@w3.org
On 8/3/11 5:03 AM, Philippe De Ryck wrote:
>> You can create pretty much any arbitrary message body you want using
>> application/x-www-form-urlencoded already by crafting smart names and
>> values so the real importance is in not being able to set Content-Type.
>> This is not a security problem as far as I can tell.
>
> Using a form still results in the use of = and& in the body, even with crafted names/values. Taking the ICS format as an example, this is very difficult to encode in a normal form, but very easy with cross-origin XHR. This can leave legacy servers open to a new attack vector.
>
> BEGIN:VCALENDAR
> VERSION:2.0
> PRODID:-//hacksw/handcal//NONSGML v1.0//EN
> BEGIN:VEVENT
> UID:uid1@example.com
> DTSTAMP:19970714T170000Z
> ORGANIZER;CN=John Doe:MAILTO:john.doe@example.com
> DTSTART:19970714T170000Z
> DTEND:19970715T035959Z
> SUMMARY:Bastille Day Party
> END:VEVENT
> END:VCALENDAR
Trivial encoding of the above data in a normal form:
<!DOCTYPE html>
<form
action="put_your_echo_script_here_to_see_what_the_POST_data_looks_like"
method="POST"
enctype="text/plain">
<input type="hidden"
name="BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//hacksw/handcal//NONSGML v1.0//EN
BEGIN:VEVENT
UID:uid1@example.com
DTSTAMP:19970714T170000Z
ORGANIZER;CN"
value="John Doe:MAILTO:john.doe@example.com
DTSTART:19970714T170000Z
DTEND:19970715T035959Z
SUMMARY:Bastille Day Party
END:VEVENT
END:VCALENDAR
">
<input type="submit" value="Send me some ICS!">
</form>
This can be done cross-site by browsers right this second. The submit
can be fully scripted, so doesn't even need user interaction. Just
loading a page with such a form can send your nice ICS data to any HTTP
server that the UA is willing to reach.
-Boris
Received on Wednesday, 3 August 2011 15:25:06 UTC