lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407081423.i68ENq5Z028984@cairo.anu.edu.au>
From: avalon at cairo.anu.edu.au (Darren Reed)
Subject: shell:windows command question

In some mail from Barry Fitzgerald, sie said:
> 
> Andreas Sandblad wrote:
> 
> >Did some quick search on Bugzilla and came up with the following:
> >
> >Mozilla allows external protocols as discussed in:
> >http://bugzilla.mozilla.org/show_bug.cgi?id=167475
> >They seem to blacklist the following external protocol handlers:
> >(patch http://bugzilla.mozilla.org/attachment.cgi?id=102263&action=view)
> >hcp, vbscript, javascript, ms-help, vnd.ms.radio
> >
> >A simple solution would be to add the shell protocol to this list.
> >Personally I think a secure blacklist is hard to maintain as new
> >dangerous external protocols could be invented by third-parties leaving
> >Mozilla vulnerable again.
> 
> Completely agreed.
> 
> There should be a whitelist, not a blacklist... a safe protocols list.

And what would happen?

Nobody would configure anything but those.

And what would happen next?

People would find ways to put their "new stuff" inside the "safe ones".

Kind of like how "http" is declared safe (but is it really??) and so
every man and their dog tunnels their proprietary stuff through that
because it'll go through firewalls.

Darren


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ