Comments on: Content-Disposition is not a security mechanism http://i8jesus.com/?p=64 because arshan's too cheap to license OneNote Wed, 01 Sep 2010 06:10:02 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Aditya K Sood http://i8jesus.com/?p=64&cpage=1#comment-18281 Aditya K Sood Thu, 30 Jul 2009 07:33:20 +0000 http://i8jesus.com/?p=64#comment-18281 Hi The stature "content-Disposition" greatly depends on the design as well as implementation level. A paper has been released on "Silent HTTP Form Repurposing attacks through PDF". You can find the paper at http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf The overall point is to to trace down the artifacts of HTTP header implementation and relative impacts on the helper software's. Hi

The stature “content-Disposition” greatly depends on the design as well as implementation level. A paper has been released on “Silent HTTP Form Repurposing attacks through PDF”.

You can find the paper at

http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf

The overall point is to to trace down the artifacts of HTTP header implementation and relative impacts on the helper software’s.

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=64&cpage=1#comment-17834 arshan dabirsiaghi Mon, 27 Jul 2009 14:07:32 +0000 http://i8jesus.com/?p=64#comment-17834 The E4X stuff is terrifying to me. /me hopes IE picks it up so we can write a 1,000 OWA exploits The E4X stuff is terrifying to me.

/me hopes IE picks it up so we can write a 1,000 OWA exploits

]]> By: kuza55 http://i8jesus.com/?p=64&cpage=1#comment-17823 kuza55 Mon, 27 Jul 2009 09:52:40 +0000 http://i8jesus.com/?p=64#comment-17823 Actually we talked about the same issue in Google Gears, since it was a bit more fun (E4X stylez, take that Watchfire!). Mainly because after mentioning the Flash issue as an aside at Bluehat no-one blinked and the official response from Adobe was "yep, that's how Flash works", I did a whole talk about that and similar SOP stuff: http://kuza55.blogspot.com/2008/09/its-been-while.html I hadn't checked the Java patch, so I'm surprised that Content-Disposition isn't checked, since Flash does check it now. I might have to see if Gmail serves jar files with the appropriate Content-Type /grin One interesting thing is that Content-Disposition: attachment is somewhat odd in IE, in that if the user clicks open, it runs in the context of the site. This was part of the local machine lock-down, but iirc, scripts don't run by default on file:// URIs in IE, and in Firefox you can't read files outside the directory you're executing in and can't read the directory listing of the page you're on, so steps are being taken to prevent this. (I found this out, right about when I sat down to write that .html trojan, so trust me, I'm just as pissed off as the next hacker.) Also, CSRF tokens need to be regenerated between sessions, not the unpredictable attachment ids that Gmail uses, because otherwise hackers get tricky and write exploits, I'd release code to prove it, but then I'd burn a whole lot of small, but useful bugs in browsers & Gmail. There's tonnes of file-API related bugs, a bunch of crazy italians published some good articles on PHP in particular at http://ush.it/ but I'm sure you've seen them... Personally, the few sites I've seen that had file uploads and weren't owned in 60 seconds...stored files in a database or at least outside outside the web root, stripped of ..s, slashes and NULLs and served via a wrapper page, a variation of this is storing them in another partition, and using a virtual directory mapping to them and disabling all possible ways of executing code. Of course these all still had xss, but what non-static website doesn't at some point? Browsers are fucked. - Alex Actually we talked about the same issue in Google Gears, since it was a bit more fun (E4X stylez, take that Watchfire!).

Mainly because after mentioning the Flash issue as an aside at Bluehat no-one blinked and the official response from Adobe was “yep, that’s how Flash works”, I did a whole talk about that and similar SOP stuff: http://kuza55.blogspot.com/2008/09/its-been-while.html

I hadn’t checked the Java patch, so I’m surprised that Content-Disposition isn’t checked, since Flash does check it now. I might have to see if Gmail serves jar files with the appropriate Content-Type /grin

One interesting thing is that Content-Disposition: attachment is somewhat odd in IE, in that if the user clicks open, it runs in the context of the site. This was part of the local machine lock-down, but iirc, scripts don’t run by default on file:// URIs in IE, and in Firefox you can’t read files outside the directory you’re executing in and can’t read the directory listing of the page you’re on, so steps are being taken to prevent this. (I found this out, right about when I sat down to write that .html trojan, so trust me, I’m just as pissed off as the next hacker.)

Also, CSRF tokens need to be regenerated between sessions, not the unpredictable attachment ids that Gmail uses, because otherwise hackers get tricky and write exploits, I’d release code to prove it, but then I’d burn a whole lot of small, but useful bugs in browsers & Gmail.

There’s tonnes of file-API related bugs, a bunch of crazy italians published some good articles on PHP in particular at http://ush.it/ but I’m sure you’ve seen them…

Personally, the few sites I’ve seen that had file uploads and weren’t owned in 60 seconds…stored files in a database or at least outside outside the web root, stripped of ..s, slashes and NULLs and served via a wrapper page, a variation of this is storing them in another partition, and using a virtual directory mapping to them and disabling all possible ways of executing code. Of course these all still had xss, but what non-static website doesn’t at some point?

Browsers are fucked.
– Alex

]]>