[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] shell:windows command question

To: bkfsec@xxxxxxxxxxxxxxxx (Barry Fitzgerald)
Subject: Re: [Full-Disclosure] shell:windows command question
From: Darren Reed <avalon@xxxxxxxxxxxxxxxx>
Date: Fri, 9 Jul 2004 01:38:02 +1000 (Australia/NSW)

In some mail from Barry Fitzgerald, sie said:
> Darren Reed wrote:
> >>>A simple solution would be to add the shell protocol to this list.
> >>>Personally I think a secure blacklist is hard to maintain as new
> >>>dangerous external protocols could be invented by third-parties leaving
> >>>Mozilla vulnerable again.
> >>>      
> >>Completely agreed.
> >>
> >>There should be a whitelist, not a blacklist... a safe protocols list.
> >
> >And what would happen?
> >
> >Nobody would configure anything but those.
> >
> >And what would happen next?
> >
> >People would find ways to put their "new stuff" inside the "safe ones".
> >
> >Kind of like how "http" is declared safe (but is it really??) and so
> >every man and their dog tunnels their proprietary stuff through that
> >because it'll go through firewalls.
> 
> And you're suggesting that allowing local protocols to run local code 
> per the background call of a website is better?

I'm not suggesting anything other than what I said.

Darren

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] shell:windows command question
  - From: Barry Fitzgerald

Prev by Date: [Full-Disclosure] No shell => secure?
Next by Date: Re: [Full-Disclosure] Nokia 3560 Remote DOS
Previous by thread: Re: [Full-Disclosure] shell:windows command question
Next by thread: Re: [Full-Disclosure] shell:windows command question
Index(es):
- Date
- Thread