On 04/06/11 03:53, Brion Vibber wrote:
On Thu, Jun 2, 2011 at 5:21 PM, Tim Starling tstarling@wikimedia.orgwrote:
The main issue here is that we don't a wide variety of web servers set up for testing. We know that Apache lets you detect %2E versus dot via $_SERVER['REQUEST_URI'], but we don't know if any other web servers do that.
Note that checking for %2E alone is not sufficient, a lot of installations (including Wikimedia) have an alias /wiki -> /w/index.php which can be used to exploit action=raw.
Well that should be fine; as long as we can see the "/wiki?/foo.bat" then we can identify that it doesn't contain an unencoded dot in the path.
It sounds like simply checking REQUEST_URI when available would eliminate a huge portion of our false positives that affect real-world situations. Apache is still the default web server in most situations for most folks, and of course runs our own production servers.
You mean by checking $_SERVER["SERVER_SOFTWARE"] or something to check if it's Apache that we're running under? I suppose that could work.
It's easy enough to find out if REQUEST_URI is available. What we don't know is whether REQUEST_URI is really what was sent to the server, or whether it has %2E converted to "." before PHP gets to see it.
Are there any additional exploit vectors for API output other than HTML
tags
mixed unescaped into JSON?
Yes, all other content types, as I said above.
Only as drive-by downloads, or as things that execute without interaction?
Presumably that depends on what plugins are registered. I think it's better to avoid taking risks like this unless there is some good reason for doing so. With a REQUEST_URI check in place, in addition to all the other mitigating measures we now have in place, overblocking should be vanishingly rare.
-- Tim Starling