| |
|
This page contains all of the posts and discussion on MemeStreams referencing the following web page: It hits the fan!. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.
|
It hits the fan!
by Acidus at 2:20 pm EST, Jan 4, 2007 |
RSnake is a fucking genius. Using a file:/// URL pointed at the manual PDF installed with Acrobat, you can execute JavaScript in the local zone. Oh yeah, local file access, program execution, completely uncrippled XmlHttpRequest. This is not good. |
| |
RE: It hits the fan!
by Hijexx at 3:08 pm EST, Jan 4, 2007 |
Acidus wrote:
RSnake is a fucking genius. Using a file:/// URL pointed at the manual PDF installed with Acrobat, you can execute JavaScript in the local zone. Oh yeah, local file access, program execution, completely uncrippled XmlHttpRequest. This is not good.
SANS is reporting that Adobe 8 is non susceptible to the original http:// URL vuln. Is it your experience that Adobe 8 mitigates both of these vulnerabilities? Also, the file:/// URL vuln would need to be version specific, yes? Since Adobe installs the documentation PDF in a point rev numbered directory. My IE6 SP2 prompts for unsafe ActiveX confirmation before the plugin is even called when using the file:/// method. |
|
| | |
RE: It hits the fan!
by Acidus at 4:21 pm EST, Jan 4, 2007 |
Hijexx wrote: Acidus wrote:
RSnake is a fucking genius. Using a file:/// URL pointed at the manual PDF installed with Acrobat, you can execute JavaScript in the local zone. Oh yeah, local file access, program execution, completely uncrippled XmlHttpRequest. This is not good.
SANS is reporting that Adobe 8 is non susceptible to the original http:// URL vuln. Is it your experience that Adobe 8 mitigates both of these vulnerabilities? Also, the file:/// URL vuln would need to be version specific, yes? Since Adobe installs the documentation PDF in a point rev numbered directory. My IE6 SP2 prompts for unsafe ActiveX confirmation before the plugin is even called when using the file:/// method.
And we all know users never click "Ok" To ActiveX windows ... :-) From all reports I have seen, Reader 8 is safe. However I keep getting conflicting reports about IE6 + SP2 + AR6. The problem is so few people are saying what OS they are using. |
|
It hits the fan!
by skullaria at 3:24 pm EST, Jan 4, 2007 |
Just. Wow. |
It hits the fan!
by k at 4:56 pm EST, Jan 5, 2007 |
RSnake is a fucking genius. Using a file:/// URL pointed at the manual PDF installed with Acrobat, you can execute JavaScript in the local zone. Oh yeah, local file access, program execution, completely uncrippled XmlHttpRequest. This is not good. [Yeah, I went ahead and removed the PDFs from thesupernicety, just to be safe. Fortunately, there weren't many. Some people are super boned. -k] |
There are redundant posts not displayed in this view from the following users: Decius, Rattle.
|
|
