Re: Re: Safari for windows remote arbitry file upload

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Safari for windows remote arbitry file upload
From: Neil Dickey <neil@xxxxxxxxxxxx>
Date: Mon, 20 Aug 2007 17:08:00 -0500 (CDT)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Neil Dickey <neil@xxxxxxxxxxxx>

laurent.gaffie@xxxxxxxxx wrote in response to me:

>"I don't see that this is a bug. Could you explain a little more fully?"
>
>well configured like this by default,it's a security hole . it's a perfect
>hole for a virus, trojan, etc. you can send any malicous files to a remote
>desktop via a malicious website or even a XSS , like an executable with a
>"my computer" icon ( for exemple .. )

OK, but there's no bug in the program that's exploitable in itself.  The
downloaded malware doesn't execute automatically without user input.  Safari
is doing exactly what it's designed to do.  It's a configuration problem,
rather like when the Windows operating system was still being shipped to
users in what I called "suicide mode," not a bug in the program.

Should Safari be configured differently by default?  I certainly think so;
but this isn't really a bug.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

Prev by Date: RE: Skype Network Remote DoS Exploit
Next by Date: Re: PHPCentral Poll Script Remote Command Execution Vulnerability
Previous by thread: Re: Re: Safari for windows remote arbitry file upload
Next by thread: [ MDKSA-2007:165 ] - Updated cups packages fix vulnerability
Index(es):
- Date
- Thread