17th June 2006, 6:44 PM
I discovered something last night, Microsoft has really done it now. There is an inherent weakness in the http protocol that until now could not be exploited, I say until now because .NET 2.0 is here. I believe this design flaw in the http protocol is so astronomical that no computer will be safe from viral attack, and there will be no way to defend against it.
I’m speaking of .Nets ability to override http requests. Let me explain.
As a demonstration go to the following link:
http://talk.tovennet.net/speek.ashx?text...0a%20test'
You will notice 2 things horribly wrong with this link. First of all the type of file it is, the extension is .ashx yet media playing thinks it’s wav file, additionally you will notice the content of the file is a voice saying what’s in the query string in this case "this is a test", try substituting something else in the query string.
So to recap windows was confused as to the type of file that was elected to open, and 2 the content of the file was overridden and dynamically generated, there is no file called speek.ashx on my web server the http request was routed threw an override handler.
Now let’s say I created a virtual file called reallycoolimage.jpg, the temptation is not to worry about electing to open harmless jpgs, however I could override the handler and send you reallyhorriblevirus.msi, and here’s the kicker! You just elected to open it!
This is an inherent defect in the http protocol that the client does not receive notification of overridden or dynamic http requests.
Now I not trying to be a doom sayer but this could be the end of internet security as we know it, something must be done and I don’t know what!
I’m speaking of .Nets ability to override http requests. Let me explain.
As a demonstration go to the following link:
http://talk.tovennet.net/speek.ashx?text...0a%20test'
You will notice 2 things horribly wrong with this link. First of all the type of file it is, the extension is .ashx yet media playing thinks it’s wav file, additionally you will notice the content of the file is a voice saying what’s in the query string in this case "this is a test", try substituting something else in the query string.
So to recap windows was confused as to the type of file that was elected to open, and 2 the content of the file was overridden and dynamically generated, there is no file called speek.ashx on my web server the http request was routed threw an override handler.
Now let’s say I created a virtual file called reallycoolimage.jpg, the temptation is not to worry about electing to open harmless jpgs, however I could override the handler and send you reallyhorriblevirus.msi, and here’s the kicker! You just elected to open it!
This is an inherent defect in the http protocol that the client does not receive notification of overridden or dynamic http requests.
Now I not trying to be a doom sayer but this could be the end of internet security as we know it, something must be done and I don’t know what!