[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] shell:windows command question

To: Andreas Sandblad <sandblad@xxxxxxxxxx>
Subject: Re: [Full-Disclosure] shell:windows command question
From: Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>
Date: Thu, 08 Jul 2004 09:29:31 -0400

Andreas Sandblad wrote:

Did some quick search on Bugzilla and came up with the following:

Mozilla allows external protocols as discussed in:
http://bugzilla.mozilla.org/show_bug.cgi?id=167475
They seem to blacklist the following external protocol handlers:
(patch http://bugzilla.mozilla.org/attachment.cgi?id=102263&action=view)
hcp, vbscript, javascript, ms-help, vnd.ms.radio

A simple solution would be to add the shell protocol to this list.
Personally I think a secure blacklist is hard to maintain as new
dangerous external protocols could be invented by third-parties leaving
Mozilla vulnerable again.

Completely agreed.

There should be a whitelist, not a blacklist... a safe protocols list.

-Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] shell:windows command question
  - From: Darren Reed

References:
- [Full-Disclosure] shell:windows command question
  - From: Perrymon, Josh L.
- Re: [Full-Disclosure] shell:windows command question
  - From: Andreas Sandblad
- Re: [Full-Disclosure] shell:windows command question
  - From: Barry Fitzgerald
- Re: [Full-Disclosure] shell:windows command question
  - From: Andreas Sandblad
- Re: [Full-Disclosure] shell:windows command question
  - From: Andreas Sandblad

Prev by Date: RE: [Full-Disclosure] shell:windows command question
Next by Date: Re: [Full-Disclosure] Web sites compromised by IIS attack
Previous by thread: Re: [Full-Disclosure] shell:windows command question
Next by thread: Re: [Full-Disclosure] shell:windows command question
Index(es):
- Date
- Thread