Page 1 of 1
Update SYSTEM.abe
Posted: Tue May 26, 2009 6:19 am
by Mc
When I installed the updated version of 1.9.3.4 there was no updated version of SYSTEM.abe with some more rules, so I tried renaming it and reinstalling NS. Now there is no SYSTEM.abe
Re: Update SYSTEM.abe
Posted: Tue May 26, 2009 6:52 am
by Mc
I just saw that both files of 1.9.3.4 are identical. So seems I misunderstood the
+ SYSTEM built-in ABE ruleset including one rule emulating LocalRodeo
(check
http://databasement.net/labs/localrodeo/ and
http://databasement.net/labs/localrodeo/testcases.php )
But anyway, SYSTEM.abe isn't rebuilt.
Re: Update SYSTEM.abe
Posted: Tue May 26, 2009 7:44 am
by Giorgio Maone
- 1.9.3.4 is just one file, the changelog was not complete when I uploaded it first so I updated the changelog later, but not the file.
- Reinstalling does not change any preference/setting, including ABE rules.
To rebuild the SYSTEM.abe file you should use the "Reset" preference button, but that's not advisable since you would reset all your configuration. However the current SYSTEM.abe emulates LocalRodeo with just 3 lines:
so you can rebuild it by yourself (or rename your copy, if you've got one).
Re: Update SYSTEM.abe
Posted: Tue May 26, 2009 8:20 am
by Mc
Thanks Giorgio,
I thought it should rebuild the file to keep savety.
Of course I've got the file back by renaming and a restart of Fx, reset would always be the last measure.
Re: Update SYSTEM.abe
Posted: Wed May 27, 2009 12:22 pm
by Guest
Hi Giorgio, can we defeat
this problem with ABE and javascript enabled?
Re: Update SYSTEM.abe
Posted: Wed May 27, 2009 12:25 pm
by Guest
This is the correct poc link:
http://ha.ckers.org/mr-t/
Re: Update SYSTEM.abe
Posted: Wed May 27, 2009 12:38 pm
by Giorgio Maone
Guest wrote:Hi Giorgio, can we defeat
this problem with ABE and javascript enabled?
Well, there's a lot of info collected by that page, some useful, some less.
Of course if the site is untrusted and therefore active content is disabled, all the PoC fails.
Parts of the PoC still fail with "standard" NoScript installed even if you enable JavaScript, but ABE specifically causes the last part (localhost) to fail thanks to its SYSTEM.abe ruleset, which replicates LocalRodeo's functionality and therefore blocks all the extranet->intranet access attempts.
Notice also that the method used by RSnake to detect LocalRodeo fails at detecting ABE
Re: Update SYSTEM.abe
Posted: Fri May 29, 2009 6:15 pm
by mr greenhatch
Just curious: is ABE being enabled in the latest development versions actually doing anything at present?
Re: Update SYSTEM.abe
Posted: Fri May 29, 2009 7:39 pm
by Giorgio Maone
@
mr greenhatch:
Yes, thanks to the following built-in rule (in the SYSTEM ruleset), it protects from any attack of the Internet->Intranet CSRF class:
This one, for instance, no matter if the attacker site has JavaScript enabled or not.
Re: Update SYSTEM.abe
Posted: Fri May 29, 2009 7:53 pm
by mr greenhatch
Thanks for enlightening me Giorgio.