Lists

Open Menu Close Menu

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: disk:// and help:// security problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: disk:// and help:// security problems

Subject: Re: disk:// and help:// security problems
From: Charles Srstka <email@hidden>
Date: Tue, 18 May 2004 02:34:19 -0500

On May 17, 2004, at 10:58 PM, Jonathan Wight wrote:

Actually that's slightly incorrect I believe. You need two URL's one to
download a malicious AppleScript and then the help:// URL to cause it
to execute.

Wrong. With JavaScript you can automatically execute these after a delay. All you'd have to do is visit the page.

Also the user must have auto-open 'safe' downloads turned on _and_ have
his/her download location known to the attacker (probably ~/Desktop).

Wrong again. The disk:// URL's do not require auto-opening 'safe' downloads to be on, and the download location is completely irrelevant since the image will be mounted to /Volumes.

Charles
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.

References:
	>disk:// and help:// security problems (From: "Michael Rothwell" <email@hidden>)
	>Re: disk:// and help:// security problems (From: Peter Wollschlaeger <email@hidden>)
	>Re: disk:// and help:// security problems (From: Allan Odgaard <email@hidden>)
	>Re: disk:// and help:// security problems (From: Jonathan Wight <email@hidden>)

Prev by Date: NSCell's -setStringValue:
Next by Date: Re: Safari-like URL field with favicon
Previous by thread: Re: disk:// and help:// security problems
Next by thread: Re: disk:// and help:// security problems
Index(es):
- Date
- Thread