Re: Anyone here read vuln-dev? from Robert Collins on 2000-10-29 (squid-dev)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 30 Oct 2000 08:19:24 +1100

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Adrian Chadd" <adrian@creative.net.au>
Cc: <squid-dev@squid-cache.org>
Sent: Monday, October 30, 2000 4:42 AM
Subject: Re: Anyone here read vuln-dev?

> No I don't read vuln-dev. However, Squid has not been audited at all for
> cross-site scripting vulnerabilities or other places where plain text
> are sent as HTML. There is not a single place there text is HTML
> encoded.
>
> There are issues like this in
>
> a) Error page generation
>
> b) FTP listings and messages
>
> c) Probably also in gopher and wais
>
> The error page generation is the most critical as this is exploitable at
> the client to do cross-site scripting. The other mostly fails..
>
> I certainly does not object to fixing this, however please keep in mind
> that simply encoding < > & is not enought as there are buggy clients
> around reading their 8-bit variants as 7-bit characters... so to be on
> the safe site the following encoding should be used:
>

it's #&NNN; for the format -

> & -> &
done
> < -> <
done
> > -> >
done
> <32 >=127 -> &NN; where NN is the hexadecimal value of the character
> (unsigned char).

0-1F done. 127 & above done in the attached update html. c (and yes rfc1738
was a very handy inspiration :-]

<WHINE MODE>Personally I think it would have been appropriate for the
"ideas" person to have let squid-dev know before dropping it on the world
via vuln-dev....
</WHINE MODE>

Rob

>
> /Henrik
>
>
> Adrian Chadd wrote:
> >
> > On Sun, Oct 29, 2000, Robert Collins wrote:
> > > There's a new issue with squid been reported on vuln-dev:
> > >
> > > a url like
> > > http://123.microsoft.com/<script>alert(this.document.cookie)</script>
> > > does not have it's html entities quoted (ie & > &) before display
on an
> > > errorpage. This allows cross site scripting attacks against all
clients
> > > behind squid proxies.
> > >
> > > I suggest we add a html library file similar to the rfc1738 one to
take a
> > > string and return a "safe to show on a web page" by escaping all the
known
> > > entities.
> > >
> > > Probably there is a "standard way of doing this" - perhaps the xml
library
> > > or some other library can just be linked in....
> >
> > Interesting. Ok, I'll commit what you've sent as a patch unless anyone
> > objects in the next couple days.
> >
> > --
> > Adrian Chadd "God: Damn! I left pot everywhere!
> > <adrian@creative.net.au> Now I'll have to create Republicans!"
> > - Bill Hicks
>
>

application/octet-stream attachment: html.c

Received on Sun Oct 29 2000 - 14:14:27 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST