Re: Cross-site scripting

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <squid-dev@squid-cache.org>
Sent: Tuesday, October 31, 2000 7:13 AM
Subject: Re: Cross-site scripting

> Robert Collins wrote:
> >
> > Looks great to me...
>
> Good.
>
> One thing remains: I haven't looked at all at wais.c.

I've just been through it and we don't use any *printf calls. In fact it
looks like we pass the result on verbatim to the client. So it becomes the
client's and the wais server's responsibility.

>
> gopher.c was as sensitive to these issues as the error pages due to
> input data being reflected in the Gopher replies. So any site running
> both a web and a gopher server on the same address could be fooled. The
> "good" news is that my browser had similar issues when talking directly
> to the site without a proxy..
>
> FTP had issues if the attacker could create directory
> structures/filenames or welcome messages on the FTP server. The "good"
> news apply here too..
>
> So I presume wais.c also has issues, but due to lack of experience from
> using that protocol I have not bothered with it, and since it is less
> significantly less widespread use than even gopher is I think it is only
> a minor issue.

Unfortunately, with script kiddies et al. even minor issues when present in
widely deployed software (like squid) tend to be exploited at some point or
another.

What happens now as far as getting the patch out for 2.x and a note to
Bugtraq?
Rob

>
> /Henrik
>
>
Received on Mon Oct 30 2000 - 14:33:02 MST