[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Question regarding script vulnerabilities



Malicious scripts are generally designed to one of two targets:

1) The user-base of the target.

An XSS vulnerability typically gives you the ability to hijack a users browser, 
possibly allowing remote code execution on their machine or intercepting 
keystrokes while on the site. In addition to allowing your users (and admins) 
data to be harvested you suffer reputational damage.

2) Remote code targeting the actual site. 

If the file has permissions, it could delete files on the server.

So now we have established the purpose, let's consider deployment:

1) File upload.

Many websites deliberately allow file upload (avatars on forums, images for 
blog posts, shared files and so forth). If not correctly sanitised there is 
little stopping them uploading a server side script, client side script or 
other nefarious file.

Incidentally this was the main threat of the image exploit - websites couldn't 
guarantee uploaded avatars didn't contain executable code.

2) Script tags

Typically forums will sanitise text to remove script tags. Blogs are often less 
punitive. If anyone can upload HTML raw then via privilege escalation or hijack 
there is the potential for an attacker.

To be honest if you even slightly suspected your host, you're screwed - 
malicious scripts are the least of your problems...

Philip Whitehouse

On 19 Dec 2012, at 05:25, Rand McRanderson <therandshow@xxxxxxxxx> wrote:

> I was curious, if you have a virtual dedicated server or a dedicated server, 
> and a reasonably trustworthy hosting service, are malicious scripts planted 
> by external people a big concern? If so why?
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/