[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Question regarding script vulnerabilities



To be honest, I don't understand the question.

Malicious scripts running on your server are a concern, regardless of type
of hosting service or a trustworthy provider.


Chris.



On Thu, Dec 20, 2012 at 2:00 PM, Philip Whitehouse <philip@xxxxxxxxx> wrote:

> Malicious scripts are generally designed to one of two targets:
>
> 1) The user-base of the target.
>
> An XSS vulnerability typically gives you the ability to hijack a users
> browser, possibly allowing remote code execution on their machine or
> intercepting keystrokes while on the site. In addition to allowing your
> users (and admins) data to be harvested you suffer reputational damage.
>
> 2) Remote code targeting the actual site.
>
> If the file has permissions, it could delete files on the server.
>
> So now we have established the purpose, let's consider deployment:
>
> 1) File upload.
>
> Many websites deliberately allow file upload (avatars on forums, images
> for blog posts, shared files and so forth). If not correctly sanitised
> there is little stopping them uploading a server side script, client side
> script or other nefarious file.
>
> Incidentally this was the main threat of the image exploit - websites
> couldn't guarantee uploaded avatars didn't contain executable code.
>
> 2) Script tags
>
> Typically forums will sanitise text to remove script tags. Blogs are often
> less punitive. If anyone can upload HTML raw then via privilege escalation
> or hijack there is the potential for an attacker.
>
> To be honest if you even slightly suspected your host, you're screwed -
> malicious scripts are the least of your problems...
>
> Philip Whitehouse
>
> On 19 Dec 2012, at 05:25, Rand McRanderson <therandshow@xxxxxxxxx> wrote:
>
> I was curious, if you have a virtual dedicated server or a dedicated
> server, and a reasonably trustworthy hosting service, are malicious scripts
> planted by external people a big concern? If so why?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/