On 04/06/11 03:53, Brion Vibber wrote: > On Thu, Jun 2, 2011 at 5:21 PM, Tim Starling <tstarl...@wikimedia.org>wrote: >> The main issue here is that we don't a wide variety of web servers set >> up for testing. We know that Apache lets you detect %2E versus dot via >> $_SERVER['REQUEST_URI'], but we don't know if any other web servers do >> that. >> >> Note that checking for %2E alone is not sufficient, a lot of >> installations (including Wikimedia) have an alias /wiki -> >> /w/index.php which can be used to exploit action=raw. >> > > Well that should be fine; as long as we can see the "/wiki?/foo.bat" then we > can identify that it doesn't contain an unencoded dot in the path. > > It sounds like simply checking REQUEST_URI when available would eliminate a > huge portion of our false positives that affect real-world situations. > Apache is still the default web server in most situations for most folks, > and of course runs our own production servers.
You mean by checking $_SERVER["SERVER_SOFTWARE"] or something to check if it's Apache that we're running under? I suppose that could work. It's easy enough to find out if REQUEST_URI is available. What we don't know is whether REQUEST_URI is really what was sent to the server, or whether it has %2E converted to "." before PHP gets to see it. >>> Are there any additional exploit vectors for API output other than HTML >> tags >>> mixed unescaped into JSON? >> >> Yes, all other content types, as I said above. >> > > Only as drive-by downloads, or as things that execute without interaction? Presumably that depends on what plugins are registered. I think it's better to avoid taking risks like this unless there is some good reason for doing so. With a REQUEST_URI check in place, in addition to all the other mitigating measures we now have in place, overblocking should be vanishingly rare. -- Tim Starling _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l