[Zope-dev] [RFClet]: What about the request method and the client side trojan?
Oliver Bleutgen
myzope@gmx.net
Tue, 09 Apr 2002 20:25:41 +0200
Brian Lloyd wrote:
>>[proposal of dissallowing GETs for management methods]
>>The win would be that disabling javascipt would make a client save from
>>this form of attack, AFAIK, OTOH I can't think of anything which would
>>break ATM.
>>
>
> While I don't necessarily disagree about making GETs idempotent,
> this still doesn't make you "safe", even with JS turned off.
Ahh, idempotent, that word escaped me ;-).
>
> A quick example: images can be used as form submit buttons. If
> I can get you to visit a page and click on my innocent looking
> image... you're done :)
Ok, I wasn't clear enough. What I proposed would at least give the
browser implementors a chance to remedy the problem (e.g. ask before
form submission etc.). Compare your scenario to that where one just
needs to write
<img href="http://victimserver/evilmethod">
>
> This is hard, hard, problem. While some good ideas have been
> proposed, there is not really a quick fix that doesn't have
> some downside that some group somewhere considers a
> showstopper :(
I consider what I wrote really not the most sophisticated idea around,
more something in the line of disabling unneeded servers on a unix machine.
But I also don't see how it could be a showstopper for any scenario.
No pain (barring modification of methods, which could be done step by
step), some gain ... sounds good to me.
cheers,
oliver