> -----Original Message----- > From: alandat_private [SMTP:alandat_private] > Sent: Wednesday, July 18, 2001 12:10 > To: bugtraqat_private > Subject: Re: Linux, too, sot of (Windows MS-DOS Device Name DoS > vulnerabilities) > > Ishikawa <ishikawaat_private> wrote: > > due to the problems mentioned, > > we should not forget that a famous browser client on > > Linux is similarly guilty. > > > > I tried the following URLs with > > my netscape browser under Linux. > > > > file:///dev/null > ... > > file:///dev/zero > ... > > file:///dev/pty0 > > A 'stat' of all of these files shows that they are not regular > files. There's no reason, them, to open them in the browser. > > > If someone wants to be nasty, he/she can > > create a web page with > > URLs inside <IMG SRC="these device files" ....> > > listing DOS devices as well as these popular UNIX devices. > > I question the wisdom of browsers which allow external web pages to > reference local files via 'file://' URLs. > I agree; that's really the underlying problem. Checking for special files is a band-aid fix that also limits flexibility. References to 'local' URLs (file: and otherwise) from 'non-local' documents should at least produce a confirmation dialog. Beyond that, configurable policy facilities like those starting to show up in browsers for cookies etc. would be nice. > > As someone mentioned, we can't predict what other > > device files may show up in the future by addition of > > new hardware drivers. > > We also cannot predict where special files exist, either. Placing > the special file 'zero' in '/dev' is simply an administrative > convention on many Unix systems. Device files can exist anywhere. > On some kernels (HURD, or Linux/*BSD with userfs), normal files can be equally "magic". As a genral principle, regardless of platform, local paths may encompass more than just 'dumb' files, so following 'remote' references to them should be restricted.
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 09:10:41 PDT