Re: H.D. content visible on web
From: Duane Arnold (darnold92@Insightbb.com)Date: 11/09/02
- Next message: : "Re: W32.Opaserv.G.Worm -- I've figured it out"
- Previous message: Mike: "Re: IPsec client for Windows XP"
- In reply to:(deleted message) : "Re: H.D. content visible on web"
- Next in thread: : "Re: H.D. content visible on web"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Duane Arnold" <darnold92@Insightbb.com> Date: Sat, 09 Nov 2002 00:57:43 GMT
> Do you believe
> that every subscriber to this group has no experience in HTML, HTTP, or
> programming?
I am pretty sure that they are others who have programming experience out
here in the newsgroups.
My example of the arbitrary DLL was a little off base do to the fact that
the Web base VB application programming I am doing has a conduit between the
client machines and the servers, which is Citrix that allows a client
machine to come across the Internet through a browser and connect to the
n-tier VB application on the Citrix Server Terminal farm and the Com+
server. So a dll that is instantiated on the server by said VB application
with the purpose of doing something at the client machine is possible,
because of the Citrix client side and server side connection.
So on that basis I was mistaken about the ease on doing the same in a non
Citrix environment.
> Java or VBScript on a server to
> compel a browser to execute an arbitrary DLL written in VBA or C++. At
> no time did you explain how such a thing might occur.
Well that is not so easy, but it could be done. I would need a little help
from the user on the other end, which seems to be not an issue based on the
many posts I have witnessed in the virus newsgroup. There is a lot of I
have a worm, I got a Trojan, there is a virus on my machine statements being
made. And this seems to be happening even with AV and software firewall on
the machine.
And I point directly to the Win 9x/ME series O/S which as no security
features like the NT, 2K and XP O/S(s) does. So, if I can get the end user
to execute something that will put the dll on the machine and register it,
that part seems to be easy, even though I don't know any thing about making
worms, Trojans or virus.
Now the other part would be to make someone who has the dll on the machine
come to my Website. Since you claim to know what you say you know about
programming, then you must know the rest if that browser is allowing Java or
VBScript execution, or the AV is allowing script execution, then it is over.
Even on the Win NT, 2K, XP O/S(s) this thing could happen too, if the OS is
not harden to help prevent it.
> No. The original issue was whether www.anonymise.com, by displaying
> the contents of a user's hard drive, was exposing or exploiting a
> security hole. The answer is that it in no way represents a security
> risk.
Well, I went to that website too and came from behind the router, disabled
or enabled everything I could think of to make that website show me the
content of my <C> drive to me. It was never shown to me. Why, because I have
to think that the Intrusion Detection System prevented it, which happens to
be BlackIce. The IDS looked at the network traffic between my machine and
that website and prevented.
It is a scare/con/scam tactic. I understand that. But I also understand that
from across the Internet, the OP(s) computer was asked to do something and
it did it. I don't care that the information went no further then the OP's
face. That machine was told to do something and it did. It came right
through the firewall and nothing stopped it. What else can come right
through the firewall like that, because the firewall cannot see what's
happening? What else can the machine be made to do?
Out of all the posts that was made by me and others about this whole issue,
that's the point I am making. And I still think the machine is open to
attack.
Duane :)
- Next message: : "Re: W32.Opaserv.G.Worm -- I've figured it out"
- Previous message: Mike: "Re: IPsec client for Windows XP"
- In reply to:(deleted message) : "Re: H.D. content visible on web"
- Next in thread: : "Re: H.D. content visible on web"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
