W3C home > Mailing lists > Public > www-tag@w3.org > May 2005

Re: XRI 2.0 Review by the W3C TAG - security concern?

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 6 May 2005 12:08:42 -0700
Message-Id: <e97dde76b4491ad624b3993fdcb6f637@gbiv.com>
Cc: www-tag@w3.org
To: Graham Klyne <GK@ninebynine.org>

On May 5, 2005, at 10:58 AM, Graham Klyne wrote:
> Quite separately, I today came across a posting on ACM RISKS forum 
> 23.73 that points out a security concern... "The RISK is obvious: 
> allowing untrusted URL redirects in this case will fool many more 
> people".  The full message is below.  I don't know if this is causes a 
> problem for the proposed approach, but it seems to be an issue worth 
> considering.

No, that issue is just simple bone-headed deployment in their
webspace of an ISAPI DLL that accepts commands as query data.
Someone is exploiting that huge security hole to create
a cross-site scripting attack.

It does not impact the value of normal redirects wherein the
destination is provided by the server config (not the client).

....Roy
Received on Friday, 6 May 2005 19:08:51 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:45 UTC