• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: disk:// and help:// security problems
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: disk:// and help:// security problems

  • Subject: Re: disk:// and help:// security problems
  • From: Peter Wollschlaeger <email@hidden>
  • Date: Tue, 18 May 2004 00:23:03 +0200
Am 17.05.2004 um 21:50 schrieb Michael Rothwell:

> Safari, when accessing disk:// and help:// URLs, presents an enormous
> potential security risk -- automated execution of arbitrary code from
> an
> external source.
>
> I suggest:
>
> 1) Apple's Safari developers remove this kind of conveninent (?) but
> boneheaded feature
>
> 2) Use FireFox, Mozilla, Opera, etc. until (1) is accomplished
>
> There's something to be said for browsers that don't tie themselves too
> intimately to the host OS.
>
> -----
>
> F-D post:
> http://lists.netsys.com/pipermail/full-disclosure/2004-May/021582.html
>
> Forum discussion:
> http://forums.macnn.com/showthread.php?
> s=&threadid=213043&perpage=50&pagenumber=1
>
> -----
>
> (excerpts from forums discussions below).
>
> Disk images are mountable via the disk: protocol and automatic
> forwarding
> to disk: and help: can be done with meta refresh tags.
>
> With an URL of the type help:runscript=... HelpViewer can then be used
> to
> execute any script. This can be done with a refresh meta tag to such an
> URL. The script can then execute arbitrary code.
>
>
> Summary:
>
>  Deleting or modifying the OpnApp.scpt doesn't protect from this
> vulnerability
>  Deleting the MacHelp.help doesn't protect from this vulnerability
>  Deleting the help protocol with MisFox doesn't protect from this
> vulnerability
>  Changing the help protocol to something else than Help Viewer (I use
> Chess) seems to help
>
> I suggest you download MisFox and change the application for the help
> protocol from Help Viewer to something else.
>
> Get MisFox here:
>
> http://www.clauss-net.de/misfox/misfox.html
>
> and click the Protocol Helpers tab.

As a programmer I would say it's not a bug it's a feature.
If you don't like it, just turn it off ("Open 'safe' files after
download").
And pay attention to rule 1: Never download from a source you can't
trust.
Peter

> _______________________________________________
> cocoa-dev mailing list | email@hidden
> Help/Unsubscribe/Archives:
> http://www.lists.apple.com/mailman/listinfo/cocoa-dev
> Do not post admin requests to the list. They will be ignored.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.

  • Follow-Ups:
    • Re: disk:// and help:// security problems
      • From: Allan Odgaard <email@hidden>
    • Re: disk:// and help:// security problems
      • From: Gwynne <email@hidden>
References: 
 >disk:// and help:// security problems (From: "Michael Rothwell" <email@hidden>)

  • Prev by Date: Re: improving numerical applications performance
  • Next by Date: Re: disk:// and help:// security problems
  • Previous by thread: disk:// and help:// security problems
  • Next by thread: Re: disk:// and help:// security problems
  • Index(es):
    • Date
    • Thread