Everything, Everything

2020: J F M A M
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Note To Self
Wednesday 7th November, 2007 23:33 Comments: 6
This looks evil. Must look into how easy it is to abuse this. So much for Firefox being the safer browser ;)
Avatar Sadie - Thursday 8th November, 2007 14:58
Admittedly I don't come from a security background, but I don't get it. The jar: protocol only delivers files that are embedded in the jar/zip/odt file, it doesn't (that I can see) open up server-side scripting opportunities. And if all it can do is run code on the client side, well, we tend to assume the client is insecure and trying to screw with us anyway don't we?

What am I missing?
Avatar Sadie - Thursday 8th November, 2007 15:07
Colour me stupid. It was talking about a bad site (or user-generated content on an insecure site) being used to compromise the client.
Avatar Fab - Thursday 8th November, 2007 15:18
"Colour me stupid" So what colour is that then? ;)
Avatar Sadie - Thursday 8th November, 2007 17:25
Kind of a dull hospital green, I imagine.

Actually, I blame the website. Looking through a few of their other articles, they seem to be very alarmist. I'm not saying that any of the vulnerabilities they report are untrue, but their response to each one tends to be "Oh noes! Running a PDF/website/Word document/operating system of any sort can result in your computer being completely taken over! Don't use your computer for anything! Evar!"
Avatar Sadie - Thursday 8th November, 2007 17:29
And they don't know how to spell. And they're ugly.
Avatar Robert - Thursday 8th November, 2007 19:47
user-generated content on an insecure site

That's what I was thinking about, perhaps a Sharepoint server (except, IIRC, it sends the Content-Disposition header so the browser will offer to save the file instead) or other similar website that allows you to upload safe looking files.
© Robert Nicholls 2002-2020
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3