Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: disk:// and help:// security problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: disk:// and help:// security problems

Subject: Re: disk:// and help:// security problems
From: Charles Srstka <email@hidden>
Date: Mon, 17 May 2004 20:26:40 -0500

I'll go further and say that it's not a problem with disk:// either, which is actually a handy feature. The problem is with help:. No matter what, it is *never* a good idea to have it possible to execute arbitrary scripts via a URL. I really can't imagine what the engineers were thinking when they implemented this.

Charles

On May 17, 2004, at 5:58 PM, Michael Rothwell wrote:

Upon further reflection, I think that #2 below won't bypass the whole problem, as any browser that respects system settings for protocol handlers can be (mis)used in this manner. It's really a problem with help:// and disk:// rather than, specifically, safari.

Michael Rothwell
email@hidden

On May 17, 2004, at 3:50 PM, Michael Rothwell wrote:

Safari, when accessing disk:// and help:// URLs, presents an enormous
potential security risk -- automated execution of arbitrary code from an
external source.

I suggest:

1) Apple's Safari developers remove this kind of conveninent (?) but
boneheaded feature

2) Use FireFox, Mozilla, Opera, etc. until (1) is accomplished

There's something to be said for browsers that don't tie themselves too
intimately to the host OS.

-----

F-D post:
http://lists.netsys.com/pipermail/full-disclosure/2004-May/021582.html

Forum discussion:
http://forums.macnn.com/showthread.php? s=&threadid=213043&perpage=50&pagenumber=1

-----

(excerpts from forums discussions below).

Disk images are mountable via the disk: protocol and automatic forwarding
to disk: and help: can be done with meta refresh tags.

With an URL of the type help:runscript=... HelpViewer can then be used to
execute any script. This can be done with a refresh meta tag to such an
URL. The script can then execute arbitrary code.

Summary:

Deleting or modifying the OpnApp.scpt doesn't protect from this
vulnerability
Deleting the MacHelp.help doesn't protect from this vulnerability
Deleting the help protocol with MisFox doesn't protect from this
vulnerability
Changing the help protocol to something else than Help Viewer (I use
Chess) seems to help

I suggest you download MisFox and change the application for the help
protocol from Help Viewer to something else.

Get MisFox here:

http://www.clauss-net.de/misfox/misfox.html

and click the Protocol Helpers tab.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.

_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.

Follow-Ups:
- Re: disk:// and help:// security problems
  - From: Chilton Webb <email@hidden>

References:
	>disk:// and help:// security problems (From: "Michael Rothwell" <email@hidden>)
	>Re: disk:// and help:// security problems (From: Michael Rothwell <email@hidden>)

Prev by Date: Slowwwwwwww......
Next by Date: Re: disk:// and help:// security problems
Previous by thread: Re: disk:// and help:// security problems
Next by thread: Re: disk:// and help:// security problems
Index(es):
- Date
- Thread