. or its Unicode equivalent (%2e%2e). If
/trusted were the listed URLRoot path, an attacker could possibly provide /trusted/
%2e%2e/attackerfilepath/, allowing the attacker to break out of the approved URLRoot
path and get the user to download a file of the attacker??™s choice. To defend against
URLRoot path traversal, all paths should be unquoted, normalized, and validated prior
to retrieval.
Require HTTPS for ActiveX Controls
If an ActiveX control is downloading a file, the ActiveX control should be deployed using
HTTPS only. In addition, any HTTP actions should be redirected to HTTPS. Furthermore,
if ActiveX URLs are redirected to another URL, path and SSL checks should be repeated
on the new URL before the control is allowed to retrieve files. Strong certificates for HTTPS
should also be required, and mismatched certificates should not be allowed to be used.
ActiveX Attacks
To show how an ActiveX control can be abused, we need to start with a weak ActiveX
control. ActiveX.stream is a hostile ActiveX control developed by the author for test
purposes. It leverages a built-in control (CLSID: 8856F961-340A-11D0-A96B-
00C04FD705A2) already installed on the Windows operating system.
Pages:
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376