On Jan 12, 2005, at 1:09 PM, N. M. Buzdor wrote:
You can comment out the redirect part in RawPage.php, about 2/3 down.
DO NOT COMMENT THAT OUT! It's a workaround for an IE security flaw, for which we made a security fix release in late September.
I believe you, though I'm not sure how that could be a real security threat since it's only data that the client already has anyway.
That data can be sent somewhere _else_, since the browser is now under the control of a potentially malicious third party who can produce arbitrary JavaScript code which is executed in the context of your wiki's web site.
As I already mentioned, login credentials can be sent to a malicious server for later use, and/or the script could directly execute actions on the wiki with the user's permissions (potentially a sysop account which can delete pages, protect or unprotect pages, ban or unban accounts, and more).
If someone can trick a user into to visiting that page (potentially via a hidden frame or a redirect), the vulnerability allows that someone to effectively act as that user on the wiki.
Further, if the vulnerable browser is also vulnerable to other more serious attacks (buffer overflows, the Java applet security leak vulnerability, perhaps some ActiveX control attacks) the malicious attacker might be able to gain control of the user's local computer account and for instance install spyware, gain access to their passwords, read their e-mail, etc.
The workaround is to require that a 'raw' access be made from a canonical script URL, ... I did this with a redirect (instead of simply a 403 rejection) to preserve existing links.
Perhaps I could modify the testing lines of my copy of the script to ignore, specifically, the cmw/ addition. This should not prevent the security check from keeping it's promise to ward off invalid requests.
Maybe. See if you can find a way to get the exact given URL in a way that doesn't open it up to other security holes and works consistently across different web servers and PHP server APIs.
-- brion vibber (brion @ pobox.com)