Re: AppleScript & HTML Again...
Re: AppleScript & HTML Again...
- Subject: Re: AppleScript & HTML Again...
- From: "John C. Welch" <email@hidden>
- Date: Sun, 28 Mar 2004 19:03:12 -0600
On 3/28/04 5:41 PM, "Walter Ian Kaye" <email@hidden> wrote:
>
> Nonsense. I just put a test page on my web site on a remote server, clicked
>
> the link, and iCal came up. So, clicking a link on a remote server allowed
>
> missing link to open a local application with no authorization or
>
> authentication whatsoever.
>
>
No, *that* is nonsense. You did not click remotely, you clicked locally.
>
Have someone *else* on your network click on the page, and see if it
>
runs something on your computer. It won't; it'll run it on theirs.
>
It's local.
<oy>...point dodging...the page lives on a remote server. This is, by the
way, how web - based exploits from web sites work. You load the page. In the
page are scripts that are running against your system. If you replicate the
click action in a script, then you have an remote site automatically running
applications on your system because you opened a web page, and you happen to
have a URL handler that does a little more than you bargained for.
Someone else's script being able to run applications on my machine with no
form of authentication *whatsoever* is simply insecure, and no amount of
sophistry will change that. There are very simple ways to fix this, but
ignoring the problem until something bad happens is NOT THE WAY.
You don't even have to kill the machine to do damage. I can make three -
four assumptions that are going to be valid on most Macs running Missing
Link:
1) They'll use the default open: protocol name
2) Their boot drives will be named either "Macintosh HD" or "Mac OS X"
3) Apple provided applications will be in /Applications and
/Applications/Utilities. And that there will be a few others in
/System/Library/CoreServices.
So all I have to do is start sending a metric buttload of open calls based
on those assumptions. Some poor bastard hits my site has Missing Link, as
long as options 1 & 2 are correct, I can open every default application they
have, and I can keep doing it until they reboot or leave my site. I'm
thinking that's a dandy DOS attack. And setting up people to do it would be
trivial.
But hey, we don't need security, it's a Mac. We're IMMUNE. So sayeth the
oligarchy.
john
--
"I think the the old joke "What do you call a bus full of lawyers driving
over a cliff...a good start." Needs to be amended to a buss full of MacMacs.
The cluelessness of some of these people is astounding, but I guess when you
live with your head up your own ass thinking it is Steve Jobs' ass, the
bright lights of reality can be confusing."
"jkvt", YML List
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.