[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Question regarding script vulnerabilities
- To: Rand McRanderson <therandshow@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Question regarding script vulnerabilities
- From: Philip Whitehouse <philip@xxxxxxxxx>
- Date: Thu, 20 Dec 2012 13:00:08 +0000
Malicious scripts are generally designed to one of two targets:
1) The user-base of the target.
An XSS vulnerability typically gives you the ability to hijack a users browser,
possibly allowing remote code execution on their machine or intercepting
keystrokes while on the site. In addition to allowing your users (and admins)
data to be harvested you suffer reputational damage.
2) Remote code targeting the actual site.
If the file has permissions, it could delete files on the server.
So now we have established the purpose, let's consider deployment:
1) File upload.
Many websites deliberately allow file upload (avatars on forums, images for
blog posts, shared files and so forth). If not correctly sanitised there is
little stopping them uploading a server side script, client side script or
other nefarious file.
Incidentally this was the main threat of the image exploit - websites couldn't
guarantee uploaded avatars didn't contain executable code.
2) Script tags
Typically forums will sanitise text to remove script tags. Blogs are often less
punitive. If anyone can upload HTML raw then via privilege escalation or hijack
there is the potential for an attacker.
To be honest if you even slightly suspected your host, you're screwed -
malicious scripts are the least of your problems...
Philip Whitehouse
On 19 Dec 2012, at 05:25, Rand McRanderson <therandshow@xxxxxxxxx> wrote:
> I was curious, if you have a virtual dedicated server or a dedicated server,
> and a reasonably trustworthy hosting service, are malicious scripts planted
> by external people a big concern? If so why?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/