A friend of mine from another university was visiting recently and told me about a peculiar situation at work.
His institution is experiencing financial difficulties, so his department decided to reduce expenses by eliminating the extensive full-color brochure they had published for many years to entice students and parents into considering their program. Instead, they would publish a much simpler, less expensive brochure and put lots of exciting information on the departmental Web site. This plan would also offer the opportunity for including links to each professor’s personal Web page, where the faculty could post valuable and impressive materials such as their curriculum vitae, list of publications, photos and so on.
Then he hit a brick wall.
The IT security officer at the university flatly disallowed all external links from the main departmental Web page. University policy precluded such links. “Why?” asked my friend. They would, said the security administrator, “compromise the security of the institutional Web site.” And that was it: end of discussion. The impression was that the security officer would have said, “Go away and stop bothering me” had my friend not been a faculty member.
My friend asked me about the security implications of having external links. Was it true, he asked, that they could allow an attack on the university’s Web site?
Well, no, not in the normal sense of the word “attack.”
Hypertext Transfer Protocol (HTTP) is a system for giving client systems (the computers running a browser) an address that can be translated into a numerical IP address using the Domain Name System. An address in Hypertext Markup Language (HTML) is simply a string that is usually formatted in a particular way (e.g., underlined and in a particular color) according to the settings on the client system. As far as the Web site is concerned, an HTML page that contains only URLs is just a bunch of text.
Note that I am not discussing active content here; there are certainly ways to open holes in a Web site using URLs that are dynamically generated. For example, URLs that contain details that are interpreted by the Web site as instructions or as user identification codes and authentication sequences can easily by abused from the outside. A specific example is some mailing list administrators’ (or spammers’) practice of giving members (or victims) URLs like this to remove themselves (or believe that they remove themselves) from the list:
People who are irritated by spammers have been known to generate lots of similar URLs and automatically cause mass removals from the lists using this vulnerability.
In the next article in this two-part sequence, I’ll discuss a related issue: links to embarrassing Web sites.
Learn more about this topicCisco launches IPS offensive
Network World, 02/14/05IPS gaining ground over IDS
Network World, 02/14/05