MouseCommand security/feature thoughts.

Mon Sep 26 03:48:31 EDT 2005

I was having a play with mousecommand to have a go at some way of
downloading the commands from the web (tossing up between having
user.cmd.rb or using a microformat), and realised that I could do this:

http://localhost:37004/cmd/save/monkey/?content=p+nil&author=YourMomma&d
oc=%3Cscript%3Ealert(%22code+injection%22)%3C%2Fscript%3E

Put a form in a remote site that posts to that address and have some
javascript submit the form, add in some javascript in the doc section to
redirect the user somewhere else and bam, you've replaced one of their
commands.

Might add a check to the save command to make sure that the referrer is
local - can the referrer string be modified in javascript? Also, should
probably modify the doc section to escape html.

Also, once I figure out what I'm doing with downloading commands, I'm
also considering modifying mousecommand to either:
1) make a list of commands that will be redirected through yubnub for
processing (probably wont do this, as there's not much use if I do the
other two below), or have an option to just do this by default with
unknown commands.

2) import commands from yubnub (either convert them to ruby, or allow
the writing of yubnub("yubnub commands") into mousehole (which will
either go run it through yubnub, or do it locally - not sure yet).
   - additionally, change the new command to check for, grab and convert
a yubnub command and enter that in as the default values for a new
command.

3) duplicating yubnub's method of chaining commands (with the curly
brackets).

#####################################################################################
This email has been scanned by MailMarshal, an email content filter.
#####################################################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/mousehole-scripters/attachments/20050926/e75c77d4/attachment.htm