FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-08-2011, 04:11 PM
 
Default File URIs; was Re (6): Capability of Iceweasel to open a local file.

Scott & others,

From: Scott Ferguson <prettyfly.productions@gmail.com>
Date: Wed, 08 Jun 2011 12:07:01 +1000
> I seem to remember a number of URL handling exploits that could cause a
> problem (if they still exist).

All the admonitions about security have been hypothetical.
Nobody has painted a convincing picture of a possible failure.

> "file:///..." has been used in the past to view directories, and there
> are other variations. It seems an unnecessary risk.

A remote system uses a file URI to view details on my system?
How?

> Have you considered running a tiny webserver on your local machine
> (monkey?) and serving the local file/s from that?

I have Web servers. Yes, only allowing access to the file URIs
from my LAN, would achieve the privacy you recommend.

> Only if something follows the link and does something you haven't
> thought of.... How can you determine such a thing is not possible?

You describe the possibility of a file URI on my system which is
an executeable and would do harm if executed. OK, I understand.
My file URIs are html files. Strictly data. They can be interpreted
to make images. None can execute. That's a crucial point in this
discussion. A file containing data is innocuous. An executeable file
URI could, possibly be a hazard. I would be self-inflicted sabotage.

> At the very least the intruder would gain dangerous insights into your
> OS, enabling them to find further exploits. But just knowing what files
> you have on your system is a risk.

My Links, including the file URIs, are public data. Bus schedules
for example. The file URIs are images expressed in html which I
want to publish. The Web is meant to allow publication!

> I have a situation where I want a user to be able load
> local files from a (local) webpage - and use javascript to modify local
> files ...

Your javascript is executeble isn't it? That's your more risky
circumstance.

> ... so please post your outcome.

"http://members.shaw.ca/peasthope/#Links"

Thanks for the discussion, ... Peter E.

--
Telephone 1 360 450 2132. bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 171057032.33506.29205@cantor.invalid">http://lists.debian.org/171057032.33506.29205@cantor.invalid
 
Old 06-09-2011, 07:07 AM
Scott Ferguson
 
Default File URIs; was Re (6): Capability of Iceweasel to open a local file.

On 09/06/11 02:11, peasthope@shaw.ca wrote:
> Scott & others,
>
> From: Scott Ferguson <prettyfly.productions@gmail.com>
> Date: Wed, 08 Jun 2011 12:07:01 +1000
>> I seem to remember a number of URL handling exploits that could cause a
>> problem (if they still exist).
>
> All the admonitions about security have been hypothetical.
> Nobody has painted a convincing picture of a possible failure.

http://en.wikipedia.org/wiki/Directory_traversal

URI exploits:-
Most browsers will process any base64 or UTF as part of the URI and
there have been a number of exploits that use base64 or UTF added to the
published URI to view remote directories and files. (the classic was/is
a login to Linux based networked web cam that could be bypassed by
adding an extra slash to the URI).
Then there's the buffer overflow URI exploits, and the remote protocol
handling exploits where the protocol is changed on the published link.
eg. file substituted with rdp etc.
The majority of the (old) exploits I'm familiar with ('cause I've had to
clean up the mess) work on Windoof only. As there are several directory
traversal exploits for Linux based web browsers I couldn't rule out
current or future ones.

I don't know of any currently working URI exploits that would work on
your specific setup, but I'm not a security expert. But for every Linux
based URI exploit in Metasploit you can bet there's another dozen
unpublished ones. :-(

My personal policy is that with a "compelling argument" I won't take an
unnecessary risk. Publishing links outside of my web server is an
unnecessary risk. Easier to copy the files to the root of the webserver
than take a chance I think? :-)

>
> My Links, including the file URIs, are public data. Bus schedules
> for example. The file URIs are images expressed in html which I
> want to publish. The Web is meant to allow publication!

Yes. And axes are made for cutting wood. ;-p

>
>> I have a situation where I want a user to be able load
>> local files from a (local) webpage - and use javascript to modify local
>> files ...
>
> Your javascript is executeble isn't it?

Yes.
Any file can be made executable.
Binaries can be modified.
Text files can be modified.

> That's your more risky circumstance.


Yes. But that doesn't mean that non-executable files are without risk.
Your bash history for instance - do you mount CIFS shares? Do you use a
password file that's called by /etc/fstab? The more information about
your system available to an attacker - the greater the risk an attack
will be successful.

This is an application that runs on Eee PCs without a webserver. It's a
local app running on Iceweasel with NoScript installed. Never-the-less
there is the potential for problems from local malware, or when
connected to a network.

That I can't list any hazards doesn't mean the application isn't
vulnerable. To run it NoScript has to allow local files to run
Javascript - which would then make it possible for malicious code in
Iceweasel, NoScript - in fact any application that can access the
browser, and probably more, to run.
There may not even currently be a risk - but five years from now it
could come back to bite me. (I don't control the netbooks, the client does).
I'm all for open source code (and hardware), but I try and keep my
systems closed.

<snipped>

Just out of curiosity - is that webserver Apache running the ldap_mod?
Did it allow you to serve a file outside of the public_html directory
without modification?

Cheers

--
Tuttle? His name's Buttle.
There must be some mistake.
Mistake? [Chuckles]
We don't make mistakes.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DF07140.2050906@gmail.com">http://lists.debian.org/4DF07140.2050906@gmail.com
 

Thread Tools




All times are GMT. The time now is 04:40 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org