Talk:Inter-protocol exploitation

Computer security: Computing Start‑class Low‑importance

This article is within the scope of WikiProject Computer security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer securityWikipedia:WikiProject Computer securityTemplate:WikiProject Computer securityComputer security Start This article has been rated as Start-class on Wikipedia's content assessment scale. Low This article has been rated as Low-importance on the project's importance scale. This article is supported by WikiProject Computing (assessed as Low-importance). Things you can help WikiProject Computer security with: Article alerts are available, updated by AAlertBot. More information... Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

Computing Start‑class Low‑importance

This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing Start This article has been rated as Start-class on Wikipedia's content assessment scale. Low This article has been rated as Low-importance on the project's importance scale.

How is this a new class of attacks as of 2007? Examples of the same class were described in the security considerations of RFC 1738, from December 1994:

A URL-related security threat is that it is sometimes possible to construct a URL such that an attempt to perform a harmless idempotent operation such as the retrieval of the object will in fact cause a possibly damaging remote operation to occur. The unsafe URL is typically constructed by specifying a port number other than that reserved for the network protocol in question. The client unwittingly contacts a server which is in fact running a different protocol. The content of the URL contains instructions which when interpreted according to this other protocol cause an unexpected operation. An example has been the use of gopher URLs to cause a rude message to be sent via a SMTP server. Caution should be used when using any URL which specifies a port number other than the default for the protocol, especially when it is a number within the reserved space.

Care should be taken when URLs contain embedded encoded delimiters for a given protocol (for example, CR and LF characters for telnet protocols) that these are not unencoded before transmission. This would violate the protocol but could be used to simulate an extra operation or parameter, again causing an unexpected and possible harmful remote operation to be performed.

This motivated restrictions on which ports can be connected to via HTTP, that are still present in current browsers (although since the restricted ports were a blacklist, it was always obvious that there was the potential for more such attacks). Also, browser support for APIs such as XMLHttpRequest has increased the degree of control that an attacker has over the carrier request, but that's not a fundamental difference.

I'm not saying this class of attacks is not important, but there is no justification for describing it as newly discovered. --David-Sarah Hopwood ⚥ (talk) 04:01, 31 October 2009 (UTC)[reply]

Also note that FTP bounce attacks could be used for inter-protocol exploits (known since 1996). --David-Sarah Hopwood ⚥ (talk) 05:35, 1 November 2009 (UTC)[reply]