On Tue, Sep 09, 2008 at 01:52:30PM -0500, Thierry Moreau wrote: > Here is a simple exploit which alters the ietf.org main page. Insert the > following four lines > > [...] > > to the file /usr/lib/firefox/res/html.css > > [...] > > OK, this requires root access because the Linux community is generally > security-conscious. But you should see the general idea: paranoia leads me > to think of an adversary who would threatens application integrity (such as > the above) without leaving much trace of computer system penetration. > > [...] > > Does anybody have any tip about how to mitigate this vulnerability, with > minimal assumptions about the client web browser?
As the service provider you have little choice but to assume local security on the client side IF you want to allow clients that you don't control (and you don't really have a choice about _that_; most SPs don't anyways). I don't see how to mitigate all possible attacks you can imagine that involve a compromised client. > The habit of storing css style information in various style sheets files > separate from the HTML contents is worrysome as each stylesheet retrieval > operation is a potential attack vector. You could say the same thing about AJAX, ... This train left the station long ago, and I was on it then along with everyone else. Nico -- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
