[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISA Server 2004 Log Manipulation

To: beSIRT@xxxxxxxxxxxxxxxxxx
Subject: Re: ISA Server 2004 Log Manipulation
From: "Steven M. Christey" <coley@xxxxxxxxx>
Date: Mon, 8 May 2006 23:21:33 -0400 (EDT)

>You can insert the 'tab' value and possibly break 3rd party log
>analyzers.

OK, this makes sense - if ISA supports tab-separated format, then tab
is a special character within such a log file, and attackers should be
prevented from injecting it (by filtering, quoting, whatever...)

>Other interesting characters may be ... a "<" character for CSS, and
>whatever else your heart desires.

This is a bit more difficult.

Are you saying that there's a web interface or static HTML reports,
provided by ISA, that don't handle "<" characters when they are
processing ISA log files?  Then I would view it as a vuln in the web
interface or HTML page generator.

Are you saying that ISA should protect against all possible XSS
attacks that might be launched against third-party or external
applications that might happen to have XSS issues when they parse log
files from ISA?  If so - then I don't think that should be ISA's
responsibility.

How might one handle this?  To protect against XSS, you could quote
the "<" to be "&lt;" - but then, your quoting has just allowed the
attacker to exploit shell metacharacter vulnerabilities in any
applications that process the log file.  Well, you could remove the
"<" completely - but then you've mis-represented the actual inputs
that the attacker provided, hampering possible forensics activities.

I don't think it should be one application's responsibility to protect
against all the possible attacks that could be launched against
third-party products that happen to parse the original application's
output - unless either the application's core functionality is to
protect against such an attack (e.g. an anti-virus product that sits
between the Internet and a desktop machine).

More to the point - I don't think it's *possible* for one application
to protect against all the ways that its own outputs could be
mis-interpreted by other downstream products that are outside of its
own control.  A gray area occurs with interaction errors between two
products that function correctly when separate, but somehow have
issues when they work together - but this is rarely encountered.

Sorry if this was not what you originally meant - but it's a useful
point of discussion, regardless :)

- Steve

Prev by Date: Re: SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password Disclosure
Next by Date: Secunia Research: Where Is It unacev2.dll Buffer Overflow Vulnerability
Previous by thread: Re: ISA Server 2004 Log Manipulation
Next by thread: [REWTERZ-20060504] - Sami FTP Server Remote Buffer Overflow Vulnerability
Index(es):
- Date
- Thread