This only loosely falls under the umbrella of CSS, but it is an
attack that sprung to mind while thinking about this problem -
- I register at the victim.com acs4 based site, and find out that
my user_id is 9876
- I craft a popup ad that contains 2 frames - a big irritating
flashing frame that says "MAKE MEGABUCKS" or whatever, and
a 1-pixel tall frame at the bottom that loads
"http://victim.com/permissions/grant-2?object_id=0&party_id=98
76&privilege=admin"
- I entice the victim.com site admin to visit a page containing
this ad
- I take advantage of my new admin rights on victim.com
- If victim.com has some facility like the old portals module that
allows admins to input executable TCL, I take advantage of my
new admin rights on the machine that hosts victim.com
the point of the popup ad and frames is tht nobody looks at
popups long enough before closing them to notice the 1-pixel tall
bit of window that contains either an "unauthorised" error
message or a "permissions updated on object 0" result
the lesson of CSS is that not only can't we trust input from
users, but we can't trust that input from a user is actually from
that user.
the only general solution to this attack I can see is to move
the session and auth data from cookies into the URL, which
would tend to suck - anybody have other ideas?
