Full Disclosure mailing list archives
Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Daniel <deeper () gmail com>
Date: Thu, 19 May 2005 09:59:11 +0100
"Combining this vulnerability with Safari's auto-install vulnerability, it may be possible for a widget to maliciously install itself by visiting a website, wait for the user to authenticate to perform a task, and take full control of a system." Have you tested this on 10.4.1 or is this a theoretical issue? Safari now pops up the window saying "this is an app, blah blah blah", so user interaction is required for the widget to be downloaded (hence negating the whole widget installing itself" On 5/19/05, ph0enix <ph0enix () justonemorething org> wrote:
http://stephan.com/widgets/zaptastic/ well, I know this already and maybe I wasn't clear in my last mail: How do you exploit this under 10.4.1 when the option in Safari is turned on, because Jonathan Zdziarski described 10.4.1 as vulnerable? www.osvdb.org -- everything is vulnerable. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability, (continued)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Alain Fauconnet (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Graham Reed (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Alain Fauconnet (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ZATAZ.net (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Content detection in html payload with snort ? Frederic Charpentier (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 19)
- Message not available
- Message not available
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Ports used by trogens Who? (May 21)