Update SYSTEM.abe

[Mc]

When I installed the updated version of 1.9.3.4 there was no updated version of SYSTEM.abe with some more rules, so I tried renaming it and reinstalling NS. Now there is no SYSTEM.abe

[Mc]

I just saw that both files of 1.9.3.4 are identical. So seems I misunderstood the

+ SYSTEM built-in ABE ruleset including one rule emulating LocalRodeo
(check http://databasement.net/labs/localrodeo/ and
http://databasement.net/labs/localrodeo/testcases.php )

But anyway, SYSTEM.abe isn't rebuilt.

[Giorgio Maone]

1. 1.9.3.4 is just one file, the changelog was not complete when I uploaded it first so I updated the changelog later, but not the file.
2. Reinstalling does not change any preference/setting, including ABE rules.
   To rebuild the SYSTEM.abe file you should use the "Reset" preference button, but that's not advisable since you would reset all your configuration. However the current SYSTEM.abe emulates LocalRodeo with just 3 lines:

   Code: Select all

   Site LOCAL
   Accept from LOCAL
   Deny
   

   so you can rebuild it by yourself (or rename your copy, if you've got one).

[Mc]

Thanks Giorgio,
I thought it should rebuild the file to keep savety.
Of course I've got the file back by renaming and a restart of Fx, reset would always be the last measure.

[Guest]

Hi Giorgio, can we defeat this problem with ABE and javascript enabled?

[Guest]

This is the correct poc link:
http://ha.ckers.org/mr-t/

[Giorgio Maone]

Hi Giorgio, can we defeat this problem with ABE and javascript enabled?

Well, there's a lot of info collected by that page, some useful, some less.
Of course if the site is untrusted and therefore active content is disabled, all the PoC fails.
Parts of the PoC still fail with "standard" NoScript installed even if you enable JavaScript, but ABE specifically causes the last part (localhost) to fail thanks to its SYSTEM.abe ruleset, which replicates LocalRodeo's functionality and therefore blocks all the extranet->intranet access attempts.
Notice also that the method used by RSnake to detect LocalRodeo fails at detecting ABE

[mr greenhatch]

Just curious: is ABE being enabled in the latest development versions actually doing anything at present?

[Giorgio Maone]

@mr greenhatch:

Yes, thanks to the following built-in rule (in the SYSTEM ruleset), it protects from any attack of the Internet->Intranet CSRF class:

Code: Select all

Site LOCAL
Accept from LOCAL
Deny

This one, for instance, no matter if the attacker site has JavaScript enabled or not.

[mr greenhatch]

Thanks for enlightening me Giorgio.