The trouble with redirectsThe folks at Digital Creations have, in the process of tracking down a security problem with the Zope application server, turned up a
The problemSince the beginning, the Hyper-Text Transfer Protocol (HTTP) has included a couple of "redirect" response types. Essentially, if you ask a web server for a page, the server can send back a redirect, saying "actually, it's over there." Your browser then goes to the new page and asks again. Redirects are useful for a number of purposes; for example, when a web site moves a redirect can be put in to point readers to the new site transparently. (Thus, for example, some people still go to www.eklektix.com/lwn/ to read LWN and it works, even though LWN has not been there for two years).
The other half of the problem has to do with authentication. Consider the range of web sites that need to know who you are before allowing you to perform some sort of privileged action. Examples include Hotmail, Slashdot (to post under your name), E*Trade, any Zope site (for admin functions, if not more), etc. Normally you type your password and do what you need to do, no problem.
But your browser remembers that password you typed - either directly when "basic authentication" is being used, or in the form of a cookie given to you by the site in question. Thereafter, you need not type the password again. Most of us appreciate that highly; forever retyping the same passwords would get pretty old in a hurry.
Now consider what happens when some unpleasant person decides to make life difficult for you. He somehow gets you to view a URL that is under his control - by sending you mail directly suggesting that you look there, by posting an interesting Slashdot comment, or by some other means. But there is no page there; instead the server just redirects you to a page which performs some action on a site where you have already authenticated yourself. Your browser duly provides the credentials, and the action happens.
Unpleasant scenariosSo how could one exploit this problem? Here's a few scenarios:
It doesn't take long to come up with a long list of these.
Be careful out there.
See alsoHere is the posting from Digital Creations describing the two problems they turned up; see the Client-side Trojan article for a full description of the problem described in this article.