[VIM] Blaming product vendors for other vendors' "features"

Steven M. Christey coley at mitre.org
Tue Oct 25 21:06:42 EDT 2005


How are other VDB's handling situations in which Internet Explorer
automatic type detection feature renders HTML in .GIF/.JPG files as if
it's HTML?  Theoretically, every single web application that allows
uploads is "vulnerable" - is it really the application vendors'
responsibility to work around this "feature"?  From a VDB perspective
I don't like the idea of "blaming" the wrong party and/or adding
dozens or hundreds of entries for products that don't work around
another product's feature.

These fall under a class of vulns that I call "multiple interpretation
errors" in which one product assumes "good" behavior of other products
that don't actually behave.  A-V products get hit on these a lot, but
in those cases I think they should share some of the "blame" since
they are supposed to know how the inputs are going to be handled by
end systems.

Insert comment about Jon Postel's great motto "Be liberal in what you
accept, and conservative in what you send" being an impediment to
systemic security.

- Steve


======================================================
Name: CVE-2005-3310
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3310
Reference: BUGTRAQ:20051022 phpBB 2.0.17 (and other BB systems as well) Cookie disclosure
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=113017003617987&w=2
Reference: FULLDISC:20051022 phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0479.html
Reference: BID:15170
Reference: URL:http://www.securityfocus.com/bid/15170/
Reference: SECUNIA:17295
Reference: URL:http://secunia.com/advisories/17295/
Reference: XF:phpbb-avatar-bypass-security(22837)
Reference: URL:http://xforce.iss.net/xforce/xfdb/22837

Multiple interpretation error in phpBB 2.0.17, with remote avatars and
avatar uploading enabled, allows remote authenticated users to inject
arbitrary web script or HTML via an HTML file with a GIF or JPEG file
extension, which causes the HTML to be executed by a victim who views
the file in Internet Explorer, which renders malformed image types as
HTML, enabling cross-site scripting (XSS) attacks.  NOTE: it could be
argued that this vulnerability is due to a design flaw in Internet
Explorer that should not require all web-based applications to work
around; if so, then this should not be treated as a vulnerability in
phpBB.




More information about the VIM mailing list