I came across one of the more entertaining recent vulnerability announcements this morning - take a look at http://www.kb.cert.org/vuls/id/261869. I think it falls into the "well it's obvious now I think about it" category however I hadn't really thought about it... In summary, the way that clientless VPN servers re-write URLs breaks the same origin policy - pretty obvious if you've ever used one of these products and looked at the various URLs that get returned. This means that "bad things" can happen - take a look at the advisory. I'd suggest that any organisation using these kinds of clientless VPNs to provide remote access functionality prevent Internet browsing through these servers; after all, if a user can get to the VPN server he/she has Internet access so why do they need to go through the VPN server?
Why do I view this as entertaining? Well, it's always a little ironic when security products present attack vectors and I'm a big fan of irony. I also know several organisations that make use of this technology and I can't wait to point them to the link...
Tuesday, 1 December 2009
Subscribe to:
Posts (Atom)
