| View previous topic :: View next topic |
| Author |
Message |
rojaro
l33t
Joined: 06 May 2002
Posts: 732
|
 Posted: Wed Sep 18, 2002 10:17 pm Post subject: |
 |
|
| rac wrote: | | As far as C++, Perl and PHP go, where they are used on the web, they run on the server. I see only the HTML that they output. HTML is not code that executes on my system. HTML is data that is rendered by my browser. There is no security implication. If you are referring to security problems on the server side, this is a different discussion (and I will be glad to have it somewhere, if you wish). |
Oh you can do far worse things ... there have been a few really bad exploits for php itself lately on which you can get the details on the php.net page and at security focus and glsa-announcements here. And also, as you have pointed out already, if the programm running in php or perl is badly implemented you'll often have even bigger holes (and there are LOTS of examples at securityfocus.com for that and both - php and perl).
| rac wrote: | | If I open a URL in my browser, it will give me a file to save on my system and do whatever I want to do with it, or it will render HTML in a window for me. If I have Java enabled, it may download some applets and run them in a sandbox. If, on the other hand, I have Javascript turned on, the simple act of accessing a URL with my browser potentially gives the author of that web page the ability to execute arbitrary code on my computer under my username with the privileges of that account. That is not acceptable to me. |
but this is usually a problem of a very bad implementation of javascript (-> see ie). if the java runtime environment is badly designed (-> see microsofts java implementation) you probably can braek the sandbox and do what you want on a victims machine ... same applies to the really freaking activex crap from microsoft - i mean you connect to windowsupdate.microsoft.com and you'll have no idea what this activex-update&installation applet transmitts to microsoft amd if you dont use it you wont get any updates. (check m$-knowledge base ... in most cases it tells you now to consult windowsupdate.microsoft.com to get your securityholes fixed)
| rac wrote: | | I don't care if it makes the browsing experience less rich or easy. For example, I have to type the smilies in my posts, because clicking on them doesn't do anything. Any website that makes some content only available if a browser has enabled Javascript is poorly written, IMO, and I avoid them. Sometimes I write them a letter explaining this position. |
well ... who needs stupid graphic smilies ... i disabled that function for posting messages entirely ... those graphic smilies sometimes really piss me off, especially when im posting some source code which contains e.g. "8)" or ":]" (as in "[:alpha:]" -> regular expressions)
| rac wrote: | | Note that I am not trying to eradicate Javascript from the face of the planet. If people want to use it, and people want to write it, that's fine. Where I get angry is when people who create web pages choose to block access to people because they do not enable Javascript, even when there is no good technical reason for doing so. Case in point: Javascript menus that do not degrade to normal HTML links. I see absolutely no reason for this except rudeness, laziness, or ignorance. |
oh thats just so true ... or stuff like disabling right-clicking and popunders & popups (which mozilla cures pretty nicely)
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
| Back to top |
|
 |
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Wed Sep 18, 2002 10:40 pm Post subject: |
|
|
| rojaro wrote: | | Oh you can do far worse things ... there have been a few really bad exploits for php itself lately [...] if the programm running in php or perl is badly implemented you'll often have even bigger holes (and there are LOTS of examples at securityfocus.com for that and both - php and perl). |
True...but that's on the server side, right? I fail to see how any of that can affect the client side, because all the client is seeing is HTML. I guess if there was a buffer overflow in a rendering engine that was triggered by some bizarre HTML, you could make a DOS attack page - actually, come to think of it, someone mentioned that they managed to bring down an entire Windows environment in VMware trying to render the nested quote bomb thread.
| Quote: | | but this is usually a problem of a very bad implementation of javascript (-> see ie). |
No, I think it's more than that. Javascript has no concept of security built into the language. Java does. With Javascript, the implementation has to actively try to stop unwanted things from happening. With Java, the VM does this for you at a very low level by design, and you have to explicitly allow code to do potentially unsafe things.
| Quote: | | if the java runtime environment is badly designed (-> see microsofts java implementation) you probably can braek the sandbox and do what you want on a victims machine |
Yes, but that's a serious VM bug, and by definition if such bugs exist the VM cannot be certified as adhering to the Java Language Specification. It's impossible to make a compliant VM that doesn't enforce strict security rules - I don't think the same is true of Javascript.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
rojaro
l33t
Joined: 06 May 2002
Posts: 732
|
| Posted: Wed Sep 18, 2002 11:40 pm Post subject: |
|
|
| rac wrote: | | True...but that's on the server side, right? I fail to see how any of that can affect the client side, because all the client is seeing is HTML. |
ah, got your point now :)
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
