Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
James Firth
james2 at jfirth.net
Wed Aug 4 12:36:04 BST 2010
Nicolas Bohm wrote:
> That suggests to me that entering a URL designed to exploit a weakness
> in order to get "behind" the root of a server for a particular site is
> doing something very different from truncating a URL in order to
> explore
> a site. I can much more easily see why it might be concluded a
> particular user knew it was unauthorised.
>
Not according to RFC 1738 it's not.
Just because there is a weakness there it doesn't necessarily mean anyone
using the syntax should be prosecuted for attempting unauthorised access.
A url http://ejf.me/../../ is perfectly valid.
If the server does not intend to provide access above "document root" then
the server must handle rejection.
If the server does provide access above "document root" then by the server's
own admission through issuing a 200 OK response is indicating that access is
AUTHORISED.
It's not just an unlocked door, it's a shop with a sign outside saying "We
accept all visitors who conform to RFC 1738 - feel free to walk through the
door corresponding to your valid request".
If the server operator did not intend to provide access above server root,
then they should have configured their server to provide an appropriate
(4xx) denial.
In this case it's the victim who cannot claim ignorance of the protocol is a
valid excuse for launching a prosecution for something which ultimately is
their own fault.
It's NOT even due to a bug in the software the server using. It's a failure
to understand the services the server operator is willingly offering.
- As you can tell I have very strong views on this subject.
James Firth
More information about the ukcrypto
mailing list