[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] shell:windows command question

To: Darren Reed <avalon@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] shell:windows command question
From: Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>
Date: Thu, 08 Jul 2004 10:28:22 -0400

Darren Reed wrote:

A simple solution would be to add the shell protocol to this list. Personally I think a secure blacklist is hard to maintain as new dangerous external protocols could be invented by third-parties leaving Mozilla vulnerable again.

Completely agreed.

There should be a whitelist, not a blacklist... a safe protocols list.

And what would happen?

Nobody would configure anything but those.

And what would happen next?

People would find ways to put their "new stuff" inside the "safe ones".
Kind of like how "http" is declared safe (but is it really??) and so
every man and their dog tunnels their proprietary stuff through that
because it'll go through firewalls.

And you're suggesting that allowing local protocols to run local code per the background call of a website is better?

-Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] shell:windows command question
  - From: Darren Reed

References:
- Re: [Full-Disclosure] shell:windows command question
  - From: Darren Reed

Prev by Date: RE: [Full-Disclosure] Nokia 3560 Remote DOS
Next by Date: Re: [Full-Disclosure] shell:windows command question
Previous by thread: Re: [Full-Disclosure] shell:windows command question
Next by thread: Re: [Full-Disclosure] shell:windows command question
Index(es):
- Date
- Thread