Re: Validation broken for protected pages from Nick Kew on 2001-12-14 (www-validator@w3.org from December 2001)

From: Nick Kew <nick@webthing.com>
Date: Fri, 14 Dec 2001 19:42:59 +0000 (GMT)
To: Bud Hovell <bud@uzix.com>
cc: <www-validator@w3.org>
Message-ID: <20011214192335.Q683-100000@fenris.webthing.com>

On Fri, 14 Dec 2001, Bud Hovell wrote:

>
> Hi, Martin ...
>
>
>
> > For a description of the problem, please see
>
> > http://lists.w3.org/Archives/Public/www-validator/2001JulSep/0476.html

Bud appears to be replying to something I haven't seen.

> With respect to the entire thread of the discussion cited above about the
> errant browser behavior, this level of threat doesn't appear to be a
> show-stopper, given all the conditions which would have to be fulfilled
> for an actual (rather than hypothetical) unauthorized access to occur on
> a second server after validation on a prior one (which I think Nick Kew
> attempted to point out). Not to say it could never lead to a breach, but
> ...

But since I seem to have had something to say on the subject in the past,
I felt compelled to review what you're talking about.

It is perhaps worth noting that, while my comments apply to the service
running at validator.w3.org, they would not necessarily apply in every
case.  For example, if you were to run the W3 validator locally on
a company website or intranet having different protected areas, it
could be quite a significant security risk.  In such a case you would
definitely be better-advised to use a different approach, such as
that adopted by relevant parts of Site Valet.

> > If you have a better idea of how to fix the problem, please
>
> > send it to www-validator@w3.org.

Well, my thoughts on the subject are in my reply to the message already
referenced.

> All your folks really had to do was offer a prominent notice informing
> local administrators of this negligible risk, LEAVING IT TO THEM to
> decide which protected pages, if any, should be included for validation
> based on local risk assessment.

Not necessarily true.  The person doing validation could be ignorant of
potential problems, and a security advisory could go straight over
their heads.  Any tool that might facilitate the circumvention of
a standard security mechanism would be well-advised to do so with
great caution, and to present a warning (with full explanation)
to the user in all cases.

> (chop - I'm certainly not commenting on the rest of this without
  having seen the discussion leading up to it).

-- 
Nick Kew

Site Valet - the sign of Quality on the Web.
<URL:http://valet.webthing.com/>

Received on Friday, 14 December 2001 14:43:38 UTC