- From: Eduardo' Vela\ <evn@google.com>
- Date: Tue, 13 May 2014 14:44:09 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: whatwg <whatwg@lists.whatwg.org>, Adam Barth <w3c@adambarth.com>, Michal Zalewski <lcamtuf@coredump.cx>
(for the sake of completeness) On Tue, May 13, 2014 at 12:06 PM, Ian Hickson <ian@hixie.ch> wrote: > On Tue, 13 May 2014, Eduardo' Vela\" <Nava> wrote: > > > > > > I agree that you're less likely to be able to control the headers. But > > > I don't think that's enough. A big part of the reason that authors > > > find it hard to set HTTP headers is that doing so is technically > > > complicated, not that it's impossible. If an attacker is putting files > > > on an Apache server because there's some upload vulnerability, it > > > becomes trivial to set the HTTP headers: just upload a .htaccess file. > > > > Uploading a .htaccess file is a significantly greater vulnerability than > > XSS, as it allows RCE, and we are concerned here about vulnerabilities > > that don't just allow the user to upload files, but rather to serve > > files from a web service. The later are more common than the former. > > It doesn't necessarily allow RCE, but sure. Yes, not in all situations, but in some of them it does: https://github.com/wireghoul/htshells/tree/master/shell
Received on Tuesday, 13 May 2014 21:44:53 UTC