Re: Re: Safari for windows remote arbitry file upload
laurent.gaffie@xxxxxxxxx wrote in response to me:
>"I don't see that this is a bug. Could you explain a little more fully?"
>
>well configured like this by default,it's a security hole . it's a perfect
>hole for a virus, trojan, etc. you can send any malicous files to a remote
>desktop via a malicious website or even a XSS , like an executable with a
>"my computer" icon ( for exemple .. )
OK, but there's no bug in the program that's exploitable in itself. The
downloaded malware doesn't execute automatically without user input. Safari
is doing exactly what it's designed to do. It's a configuration problem,
rather like when the Windows operating system was still being shipped to
users in what I called "suicide mode," not a bug in the program.
Should Safari be configured differently by default? I certainly think so;
but this isn't really a bug.
Best regards,
Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115