Re: SSL VPNs and security

To: bugtraq@xxxxxxxxxxxxxxxxx, Michal Zalewski <lcamtuf@xxxxxxxxxxxx>
Subject: Re: SSL VPNs and security
From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
Date: Fri, 09 Jun 2006 16:17:31 +0200
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.58.0606072320530.32681@dione>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Priority: normal

On 8 Jun 2006 at 22:48, Michal Zalewski wrote:

> "Web VPN" or "SSL VPN" is a term used to denote methods for accessing
> company's internal applications with a bare WWW browser, with the use of
> browser-based SSO authentication and SSL tunneling. As opposed to IPSec,
> no additional software or configuration is required, and hence, corporate
> users can use pretty much any computer they can put their hands on.


> 
>   - Application cookies set by other applications. If passed to the
>     browser (as some SSL VPNs do), these cookies are separated by the use
>     of "path" parameter alone, which does not necessarily establish a
>     browser security domain boundary. This is equivalent to the attacker
>     obtaining user credentials to these applications.
> 

Yes, the path field (in Set-Cookie) doesn't buy you much, see a detailed 
discussion in 
"Path Insecurity":
http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html

-Amit

References:
- SSL VPNs and security
  - From: Michal Zalewski

Prev by Date: [USN-295-1] xine-lib vulnerability
Next by Date: [USN-294-1] courier vulnerability
Previous by thread: SSL VPNs and security
Next by thread: Re: SSL VPNs and security
Index(es):
- Date
- Thread