BugTraq
common dns misconfiguration can lead to "same site" scripting Jan 18 2008 04:40PM
Tavis Ormandy (taviso sdf lonestar org) (2 replies)
Re: common dns misconfiguration can lead to "same site" scripting Jan 21 2008 08:25AM
Florian Weimer (fweimer bfk de) (1 replies)
* Tavis Ormandy:

> Hello, I'd like to document what appears to be a common named
> misconfiguration that can result in a minor security issue with web
> applications.

Interesting, thanks.

I did some digging because I remembered a rule to put "localhost"
nodes into all zones. It turns out that this was once recommended by
RFC 1537:

| Note that all domains that contain hosts should have a "localhost" A
| record in them.

That RFC was obsoleted by RFC 1912 in 1996, so there's no RFC
conformance issue if you omit the domain names. But it explains why
there are so many zones that contain them.

> The JavaScript SOP
> (http://www.mozilla.org/projects/security/components/same-origin.html)
> does include the port number, where as RFC2109
> (http://www.ietf.org/rfc/rfc2109.txt) explicitly does not. This
> behaviour is arguably incorrect, making it impossible to securely
> host a website from a multi-user machine, but nevertheless is the
> case, and is implemented by most major browsers.

A lot of deployed applications (including some of yours) would break
if cookies did not allow port switching.

--
Florian Weimer <fweimer (at) bfk (dot) de [email concealed]>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

[ reply ]
Re: common dns misconfiguration can lead to "same site" scripting Jan 21 2008 05:04PM
David Malone (dwmalone maths tcd ie) (1 replies)
Re: common dns misconfiguration can lead to "same site" scripting Jan 21 2008 05:19PM
Florian Weimer (fweimer bfk de)
Re: common dns misconfiguration can lead to "same site" scripting Jan 19 2008 12:02AM
Kurt Grutzmacher (grutz jingojango net)


 

Privacy Statement
Copyright 2010, SecurityFocus