| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1683814a05051901597a210431@mail.gmail.com> Date: Thu May 19 09:59:16 2005 From: deeper at gmail.com (Daniel) Subject: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability "Combining this vulnerability with Safari's auto-install vulnerability, it may be possible for a widget to maliciously install itself by visiting a website, wait for the user to authenticate to perform a task, and take full control of a system." Have you tested this on 10.4.1 or is this a theoretical issue? Safari now pops up the window saying "this is an app, blah blah blah", so user interaction is required for the widget to be downloaded (hence negating the whole widget installing itself" On 5/19/05, ph0enix <ph0enix@...tonemorething.org> wrote: > > http://stephan.com/widgets/zaptastic/ > > well, I know this already and maybe I wasn't clear in my last mail: How do > you exploit this under 10.4.1 when the option in Safari is turned on, > because Jonathan Zdziarski described 10.4.1 as vulnerable? > > > > > > > > > > www.osvdb.org -- everything is vulnerable. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > >
Powered by blists - more mailing lists