[exim] Re: [Full-Disclosure] iDEFENSE Security Advisory 01.1…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Nick FitzGerald
Data:  
Para: exim-users, full-disclosure
CC: 
Asunto: [exim] Re: [Full-Disclosure] iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability
Marc Haber wrote:

> > iDEFENSE Security Advisory 01.14.05
> > www.idefense.com/application/poi/display?id=183&type=vulnerabilities
>
> That web page is only viewable with JavaScript enabled, and is thus
> unviewable with a browser configured to minimize the surfing risk. For
> a security-related organization, I consider this poor design.


I've tried that line against them several times in the past. It seems
they just don't care, so I take that to mean iDEFENSE is _NOT_ "a
security-related organization".

Perhaps the purpose of the script gives us a clue as to the true nature
of iDEFENSE's business?

There are two scripts in that page (in fact, last I checked, these
scripts govern access to most pages on the iDEFENSE site). The first
is an external script called thus:

[script type="text/javascript" src="/js/flashdetect.js"][/script]

http://www.idefense.com/js/flashdetect.js sets a bunch of variables to
"false", including "isFlash5" and "isFlashMX" then proceeds to
determine either of the above should be set to "true".

The second script is page-specific because it includes content-specific
URL redirections using JavaScript's "location" function (reformatted to
a more Email-friendly indentation):

   [script language="JavaScript" type="text/javascript"]
     //[!--
       if (isFlashMX) {


         location = '/application/poi/display?id=183&type=vulnerabilities&flashstatus=true';


       }
       else {


         location = '/application/poi/display?id=183&type=vulnerabilities&flashstatus=false';


       }        
     //--]


[/script]

So, we can "fix" this dependence on scripting by using your preferred
choice of these URLs:

http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities&flashstatus=false

http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities&flashstatus=true

Clearly the purpose of these scripts is to direct us to a "Flash-
enabled" version of the page if our browsers are considered to be
"Flash enough" to handle the required Flash version. So what do the
fancy, Flash versions of these pages offer that the non-Flash versions
don't?

An egregiously animated background graphic for the "Power of
Intelligence" banner and a typically anti-browser-navigation methods
"Flash" menu.

Some agency or "celebrity designer" was probably badly overpaid for
this excess of design indulgence over content accessibility, so it
seems that marketing is a greater objective here than than information
provision and access...

Microsoft retroactively (i.e. in response to complaints) fixed its
security bulletins last time they were re-designed by a gnat who could
not only not comprehend that some folk willingly browse the web with
scripting and ActiveX disabled, but was obviously given a design
briefing, written by someone at the supposedly now entirely security-
focussed Redmond giant, that did not specify suitable usability
guidelines for the pages in question for varying levels of browser
security setting.

Sophos fixed its recently re-designed into scripting hell virus
description web pages following user complaints.

Shall we see if iDEFENSE can actually use "the power of intelligence"
it claims to be able to provide its customers and produce security
advisory pages that are actually functionally useful to its most
security-conscious web visitors, rather than (perhaps) being the most
visually appealing eye-candy for the security-ignorant it hopes to
entice into being its new customers?


Regards,

Nick FitzGerald