It's a common and sensible practice to install records of the form "localhost. IN A 127.0.0.1" into nameserver configurations, bizarrely however, administrators often mistakenly drop the trailing dot,
introducing an interesting variation of Cross-Site Scripting (XSS) I call Same-Site Scripting. The missing dot indicates that the record is not fully qualified, and thus queries of the form "localhost.example.com" are resolved. While superficially this may appear to be harmless, it does in fact allow an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same origin restrictions, and therefore hijack state management data.
That whenever any form of Government becomes destructive of those ends,
it is the right of the People to alter or abolish it and to institute new Government.
Sunday, January 20, 2008
Same site scripting security issue
Here's an interesting exploit, brought to light by Tavis Ormandy, based on a minor misconfiguration in named.conf on multi-user systems:
Thank you.
ReplyDeleteNot something I have ever considered, but in hindsight it is obvious.
Although, I don't make a habit of putting localhost into zone files. I leave it as an entry in the hosts file, precisely because localhost is, by definition, unaffiliated with any domain.
No, let me rephrase that. Putting localhost into a zone file is loopy.
"hijack STATE management data"
ReplyDeleteBoring! Whoever has my 2 discs with all your child benefit data has already done that.