[dns-operations] Drive-by Pharming Threat (fwd)

Florian Weimer fw at deneb.enyo.de
Sat Feb 17 21:08:07 UTC 2007

* Barry Greene:

>> It's cool, it's "new" and it won't be a huge problem quite yet.
> It is not "new." It is just unpublished. 

| This has been dubbed "Cross-Site Request Forgery" a couple of years
| ago, but the authors of RFC 2109 were already aware of it in 1997. At
| that time, browser-side countermeasures were proposed (such as users
| examining the HTML source code *cough*), but current practice
| basically mandates that browsers transmit authentication information
| when following cross-site links.
| Such attacks are probably more problematic on low-end NAT routers
| whose internal address defaults to and which generally
| offer HTTP access, which makes shotgun exploitation easier. So much
| for the "put your Windows box behind a NAT router" advice you often
| read. 

>From BUGTRAQ, posted in November 2005.

Given a vendor's lukewarm response to a description of the issue (not
the IOS buffer issue, the CSRF angle) a couple of months earlier, I
didn't press this matter in any way.  It's not something you can force
vendors to fix without escalating in public, and this very same
publicity may lead to widespread exploits which you want to prevent in
the first place.  (Same thing with the EDNS0 traffic amplification
issue, BTW.)

More information about the dns-operations mailing list