lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAD6s_Xu-j5p0WbUV9fAYWH9LpX96E0M3xmLT9Dr8pqJjKDROJg@mail.gmail.com>
Date: Thu, 20 Dec 2012 15:03:51 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Philip Whitehouse <philip@...uk.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Question regarding script vulnerabilities

To be honest, I don't understand the question.

Malicious scripts running on your server are a concern, regardless of type
of hosting service or a trustworthy provider.


Chris.



On Thu, Dec 20, 2012 at 2:00 PM, Philip Whitehouse <philip@...uk.com> wrote:

> Malicious scripts are generally designed to one of two targets:
>
> 1) The user-base of the target.
>
> An XSS vulnerability typically gives you the ability to hijack a users
> browser, possibly allowing remote code execution on their machine or
> intercepting keystrokes while on the site. In addition to allowing your
> users (and admins) data to be harvested you suffer reputational damage.
>
> 2) Remote code targeting the actual site.
>
> If the file has permissions, it could delete files on the server.
>
> So now we have established the purpose, let's consider deployment:
>
> 1) File upload.
>
> Many websites deliberately allow file upload (avatars on forums, images
> for blog posts, shared files and so forth). If not correctly sanitised
> there is little stopping them uploading a server side script, client side
> script or other nefarious file.
>
> Incidentally this was the main threat of the image exploit - websites
> couldn't guarantee uploaded avatars didn't contain executable code.
>
> 2) Script tags
>
> Typically forums will sanitise text to remove script tags. Blogs are often
> less punitive. If anyone can upload HTML raw then via privilege escalation
> or hijack there is the potential for an attacker.
>
> To be honest if you even slightly suspected your host, you're screwed -
> malicious scripts are the least of your problems...
>
> Philip Whitehouse
>
> On 19 Dec 2012, at 05:25, Rand McRanderson <therandshow@...il.com> wrote:
>
> I was curious, if you have a virtual dedicated server or a dedicated
> server, and a reasonably trustworthy hosting service, are malicious scripts
> planted by external people a big concern? If so why?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ