Greenguy's Board - View Single Post

ClickBuster · 2005-03-12, 07:23 PM

True, but still not very polite.

Here's the deal. First of all, browser version has shit to do with the HELO request my browser is sending to get the damn headers and body that your server sends. Although it's not only HELO, but again it's not the browser version that is important in that case. You're the one that can exploit the browser vulnerability, not the browser that can hack your server (not that you can't hack with browser, I'm not talking about this). The server sends response headers the browser does or doesn't understands depending on the version, etc - there's no chance that your Apache or IIS or whatever you're using is sending different headers depending on the browser version, BECAUSE all popular browsers are made to understand HTTP the way it is now, because it haven't changed for YEARS... or maybe you're saying that IE 4 sends different "give me the page" headers that IE 6.5? There may be some vulnerabilities that are in version 4 and are not in version 6, but that's not the same thing.

Your JS is the one identifying my browser version and redirects me to a server-side app that will do whatever it has to do to send me the proper HTML that is understandable by my browser (if you ever create that kind of code), which although is a good thing, meaning that you (the webmaster) can provide HTML that is compatible to any browser (don't forget that 99% of the Internet doesn't care that much about that kind of things).

However, getting my browser version with JS may lead to the hack. For instance, the surfer have a vuln. browser and is redirected to a script that executes the JS exploit OR the buffer overflow exploit (for example caused by a vulnerable header parser). Well, a hacker wouldn't test this in general and would try to exploit everything he can, but what about version dependent variable values that would complete the hack? What about the fact that OS identification (JS code again) may lead to further attacks. Data collecting is good thing for the hackers as a general meaning, so please, don't explain to me how good it is that my browser can give away all that info for free

There're tons of cases that this can be proved bad.

I understand getting plugin version for instance (no matter that most of the time it something like "Flash 5 for Windows XP"), but this is something else.

I want to say something here to the paysite owners that may read this thread. From what I'm hearing and reading about Strongbox - it's a good service, don't get me wrong, that will boost your business and reduce the password exchange, which will increase yours and your webmasters' income for sure.

However Ray, what your company is doing here is that it exploits a major flaw in the browsers themselves

and that's a fact, no matter what you'll say. By flaw, please don't understand vulnerability, just something that I find somesort needless or that needs to be replaced with something else that is more secure (which, again, won't happen).

And Ray, I hope you're not offended in any way from this discussion I really enjoy it

Regards and best wishes,
Andrew

PS>
I'm using FireFox

2005-03-12, 07:23 PM	#11
ClickBuster I'm normally not a praying man, but if you're up there, please save me Superman! Join Date: Dec 2004 Location: Bulgaria Posts: 476	True, but still not very polite. Here's the deal. First of all, browser version has shit to do with the HELO request my browser is sending to get the damn headers and body that your server sends. Although it's not only HELO, but again it's not the browser version that is important in that case. You're the one that can exploit the browser vulnerability, not the browser that can hack your server (not that you can't hack with browser, I'm not talking about this). The server sends response headers the browser does or doesn't understands depending on the version, etc - there's no chance that your Apache or IIS or whatever you're using is sending different headers depending on the browser version, BECAUSE all popular browsers are made to understand HTTP the way it is now, because it haven't changed for YEARS... or maybe you're saying that IE 4 sends different "give me the page" headers that IE 6.5? There may be some vulnerabilities that are in version 4 and are not in version 6, but that's not the same thing. Your JS is the one identifying my browser version and redirects me to a server-side app that will do whatever it has to do to send me the proper HTML that is understandable by my browser (if you ever create that kind of code), which although is a good thing, meaning that you (the webmaster) can provide HTML that is compatible to any browser (don't forget that 99% of the Internet doesn't care that much about that kind of things). However, getting my browser version with JS may lead to the hack. For instance, the surfer have a vuln. browser and is redirected to a script that executes the JS exploit OR the buffer overflow exploit (for example caused by a vulnerable header parser). Well, a hacker wouldn't test this in general and would try to exploit everything he can, but what about version dependent variable values that would complete the hack? What about the fact that OS identification (JS code again) may lead to further attacks. Data collecting is good thing for the hackers as a general meaning, so please, don't explain to me how good it is that my browser can give away all that info for free There're tons of cases that this can be proved bad. I understand getting plugin version for instance (no matter that most of the time it something like "Flash 5 for Windows XP"), but this is something else. I want to say something here to the paysite owners that may read this thread. From what I'm hearing and reading about Strongbox - it's a good service, don't get me wrong, that will boost your business and reduce the password exchange, which will increase yours and your webmasters' income for sure. However Ray, what your company is doing here is that it exploits a major flaw in the browsers themselves and that's a fact, no matter what you'll say. By flaw, please don't understand vulnerability, just something that I find somesort needless or that needs to be replaced with something else that is more secure (which, again, won't happen). And Ray, I hope you're not offended in any way from this discussion I really enjoy it Regards and best wishes, Andrew PS> I'm using FireFox __________________ The tendency is to push it as far as you can -- Fear and Loathing In Las Vegas