On 04/04/2010 07:44 AM, Matt McCutchen:
Such configurations are uncommon, but they are not intrinsically unreasonable. Sites that put parameters in URI path components are likely to keep the same approach for their write requests. For example, but for Launchpad's refusal of client-initiated renegotiation, it would be vulnerable to a request to subscribe to one bug being changed to a different bug. (Note that they use the Referer, not a token for XSRF protection.)
Which is simply another user input (modifiable by the user).
I'll admit this is not a very serious compromise, but it illustrates the point. It's totally unfair to expect web developers to have anticipated that this configuration might be a bad idea.
Well, those are not only bad ideas, they are most likely vulnerable to all kinds of other attacks. The renegotiation flaw is just another contributing fact which obviously shouldn't happen, but even without it it's certainly no guaranty for protection for this kind of coding.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
