[clug] Drive-By Pharming Attack Could Hit Home Networks
kim.holburn at gmail.com
Sun Feb 18 19:49:32 GMT 2007
On 2007/Feb/17, at 11:19 PM, Michael Cohen wrote:
> On Sat, Feb 17, 2007 at 03:41:44PM +0100, Kim Holburn wrote:
>> iframe and somehow got an enter or a click to the iframe after the
>> password manager filled in the details?
> works that is).
I seem to remember that java was designed with security in mind but I
basically based on the idea of java and has grown rather like topsy
ever since (and been embraced and extended ;-). There are different
> JS is not supposed to have access to windows or iframes which
> open to a
> different domain from where it came from, otherwise you could do
> same with
> internet banking sites, or any other log in pages.
No-one seems to have thought of this scam yet but I expect you will
could the browser really test for this? JS can hijack all the links
on a page, it can create a link that will appear to a cgi script that
someone filled in a correct username and password and changed
settings. If it can't open a page from another site it can entice
you to open it and make the page look like something else. It can
make a page that gets all it's resources from another site.
As we do more and more business and system administration on-line and
through browsers and use more and more AJAX this sort of thing is
going to become more dangerous.
> From time to time people find vulnerabilities in this model, but
> they are
> more implementation problems than fundamental problems with the
use it though.
> Occassionally the model gets in the way too - especially when trying
> to implement single sign on type stuff from different domains. It
> that domains are security boundaries - i.e. all scripts hosted by
> a certain
> domain are to be trusted with the same data, this fails for example:
> 1) When a site is spead across a number of domains (e.g. sister
> sites in
> iframes etc)
> 2) When a single site hosts code from multiple sources - not all
> of which are
> trusted - e.g. if a site uses the /~usersname/ convension to host
> usernames - one users js can access another users frames (because
> they both
> share the same domain). This type of problem is called cross site
> (XSS) - which in its widest form means how to get scripting to
> cross site
> For example if a forum software is vulnerable to XSS, one user
> may be able to
> post to the forum some JS which get users cookies and sends then
> off. Then
> every user that views that post in the forum becomes compromised
> - this is
> becuase the script runs in the same domain as the forum.
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3342707610
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux