Firewalls: Re: questions about security & WWW browsers

Firewalls
(February 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: questions about security & WWW browsers
From:	Brent @ GreatCircle . COM (Brent Chapman)
Date:	Fri, 17 Feb 1995 17:37:16 -0500
To:	Brad - Walker <bwalker @ shell . portal . com>, firewalls @ greatcircle . com

At 00:17 2/14/95, Brad - Walker wrote:
>My questions concern HTML and Web browsers. Is it possible for a WWW
>server to issue HTML commands to the browsers to do things like
>delete a file, spawn a process or some other anti-social behavior (much
>like `deletefile' in Display PostScript).
>
>I'm in a discussion about firewalls and their limitations when it
>comes to application filtering.

I don't believe it's directly possible with HTML, but there are all sorts
of indirect possibilities.  If a WWW server returns data of type
"PostScript", and your Web browser forks off a copy of Display PostScript
or GhostScript or something to deal with it, who knows what that PostScript
code can do?  And what about all the other data types your Web browser
knows about, and the "display" programs for them; what are their
capabilities and vulnerabilities?

Further, can an attacker convince your users to add a new data type to
their Web browser's configuration?  By offering some nifty new service
(stock prices, weather updates, dirty pictures, whatever it is that will
get peoples' attention), telling folks "hey, here's what you need to add to
your .mosaicrc file in order to use this service"?  A lot of folks are
going to go for that, even if the "data type" being added is "sucker" and
the "display program" is "/bin/sh".  Even if your users are a little
smarter than that, though, and won't fall for such an obvious ploy, would
they fall for something less obvious?  Like somebody offering documentation
for something over the Web in nroff/troff format?  And telling folks "hey,
here's an easy way to add a 'troff' data type to your .mosaicrc file, which
just runs '/usr/bin/troff' on the job and pipes the output to your screen"?
That will probably sound safe enough to most users; problem is, most users
don't realize that troff has a mechanism for doing shell escapes, so
they've just given the attacker an indirect path to their shell.

-Brent

--
==  For info about the Internet Security Firewalls Tutorial and a schedule  ==
==  of upcoming dates, please send email to Tutorial-Info @
 GreatCircle .
 COM   ==
==============================================================================
==  Brent Chapman                                 Great Circle Associates   ==
==  Brent @
 GreatCircle .
 COM                         1057 West Dana Street     ==
==  +1 415 962 0841                               Mountain View, CA  94041  ==

Follow-Ups:

Re: questions about security & WWW browsers
From: Christian Wettergren <cwe @ it . kth . se>

Indexed By Date	Previous:	Re: Firewalls and anonymous ftp access From: Brent @ GreatCircle . COM (Brent Chapman)
Indexed By Date	Next:	Plodigy From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread	Previous:	Re: questions about security & WWW browsers From: patrick @ oes . amdahl . com (Patrick Horgan)
Indexed By Thread	Next:	Re: questions about security & WWW browsers From: Christian Wettergren <cwe @ it . kth . se>