Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Winnt/Win2k Vuln ?

From: "David Schwartz" <davids () webmaster com>
Date: Fri, 10 Aug 2001 12:42:33 -0700


Think that is scary?  I cannot state about the current browser, but
previous versions bypassed a lot of the NT security features.  Happens
when the browser is made an integral part of the OS - but for legal
reasons and with apparently little concerns to security ones.


        I would say the reverse would be more of a security problem. You'd prefer
that somebody could create a web site with the same name as one of your
files and when you ask for the file, you get the web site?

        If you care about security, enter fully-qualified URLs, don't use
abbreviations. Any scheme to accept abbreviations will sometimes fail to get
you what you want. For example, what will your browser do if you just type
in "ftp.mydomain.com"? Will it take it as "http://ftp.mydomain.com";? Or will
it take it as "http://ftp.mydomaincom";? If you don't know and understand the
rules for expanding abbreviations, don't use abbreviations.

        I only wish you could disable them. Both IE and Netscape have done things I
didn't expect more than once.

        DS
Previous By Date Next
Previous By Thread Next

Current thread: