Full Disclosure mailing list archives
RE: Internet Explorer and Opera local zone restriction bypass
From: "Thor Larholm" <thor () pivx com>
Date: Thu, 30 Oct 2003 14:30:00 -0800
From: Paul Szabo [mailto:psz () maths usyd edu au] Storing in an unpredictable location might help. Obfuscation does not: instead of setting a cookie of BadThing, the attacker could set one that will become BadThing. The need to reverse-engineer the obfuscation, and details like possible character sets, are a minor hindrance only. Security by obscurity does not work.
If you had followed the debate in detail, you would have seen that there are several aspects to this problem. First you have to store defined content in a known location, then you have to load a locally residing file in a window object, then you have to use another vulnerability to change security zone and then you have to convince IE to render the stored content as HTML. Flash can remove the first and latter, and there is absolutely no reverse-engineering that will convince IE to render a BAE-64 encoded string as HTML. Loading a locally residing file in a window object brings nothing new into the world of IE exploits, and after that you STILL have to rely on yet another cross-domain vulnerability before all of this can be exploited. There is no obscurity being promised here, just an additional layer of security - encoding and decoding data when it is being stored to and read from permanent storage by Flash. Obscurity by security would only have been the case here if the data that Flash stores was sensitive or private, but it is not - all we want is to avoid having Flash used as an automated transport mechanism of data from the Internet Zone to any local security zones. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Get our research, join our mailinglist - http://pivx.com/larholm/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 25)
- <Possible follow-ups>
- Re: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 25)
- Re: Internet Explorer and Opera local zone restriction bypass Bipin Gautam (Oct 29)
- Re: Internet Explorer and Opera local zone restriction bypass Bipin Gautam (Oct 29)
- Re: Re: Internet Explorer and Opera local zone restriction bypass fulldisc (Oct 29)
- Re: Re: Internet Explorer and Opera local zone restriction bypass jelmer (Oct 29)
- Re: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 30)
- RE: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 30)
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 30)
- Re: Internet Explorer and Opera local zone restriction bypass Valdis . Kletnieks (Oct 30)
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 30)
- RE: RE: Internet Explorer and Opera local zone restriction bypass Jerry Heidtke (Oct 30)