[Zope-dev] [RFClet]: What about the request method and the client side trojan?

Oliver Bleutgen myzope@gmx.net
Tue, 09 Apr 2002 20:25:41 +0200


Brian Lloyd wrote:
 >>[proposal of dissallowing GETs for management methods]
 >>The win would be that disabling javascipt would make a client save from
 >>this form of attack, AFAIK, OTOH I can't think of anything which would
 >>break ATM.
 >>
 >
 > While I don't necessarily disagree about making GETs idempotent,
 > this still doesn't make you "safe", even with JS turned off.

Ahh, idempotent, that word escaped me ;-).

 >
 > A quick example: images can be used as form submit buttons. If
 > I can get you to visit a page and click on my innocent looking
 > image... you're done :)

Ok, I wasn't clear enough. What I proposed would at least give the
browser implementors a chance to remedy the problem (e.g. ask before
form submission etc.). Compare your scenario to that where one just
needs to write
<img href="http://victimserver/evilmethod">

 >
 > This is hard, hard, problem. While some good ideas have been
 > proposed, there is not really a quick fix that doesn't have
 > some downside that some group somewhere considers a
 > showstopper :(

I consider what I wrote really not the most sophisticated idea around,
more something in the line of disabling unneeded servers on a unix machine.
But I also don't see how it could be a showstopper for any scenario.
No pain (barring modification of methods, which could be done step by
step), some gain ... sounds good to me.

cheers,
oliver