[Twisted-web] Preventing XSS when using Nevow's vhost
functionality
David Reid
dreid at dreid.org
Thu Oct 20 13:06:35 MDT 2005
On Oct 19, 2005, at 4:39 PM, David Remahl wrote:
> I'm not sure your PoC encapsulates precisely the problem I
> described, but it is a valid variant which doesn't require as many
> preconditions (but is not possible to exploit in some browsers,
> such as Safari, that won't trust JS from another host even if
> directly referenced from goody). I think I should clarify that in
> my example, goody.com and evil.net are two sites that _are_ indeed
> served by the same nevow application. They each have their own
> little space on the same server, but they don't administer the
> application serving their content. I guess that's what you refer to
> as "sister applications".
I just wrote this very long email about your suggested exploit, and
then realized that the example configuration I imagined wouldn't
cause the type of behavior you describe. I can imagine a very
complicated configuration that invovling 3
vhost.VHostMonsterResources and 1 NameVirtualHost might allow someone
to suddenly jump between two domains in the NameVirtualHost (at the
urging of an attacker) but I haven't tried to put together a PoC. If
this is in fact the configuration you're suggesting I only have this
to say I can not think of a single use case for vhost.NameVirtualHost
vhost.VHostMonsterResource being used today in a configuration such
as what I believe you to be describing. But if there is a use-case
I'm honestly not sure there is a way to make it work without properly.
-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20051020/61d03615/attachment.htm
More information about the Twisted-web
mailing list