MouseCommand security/feature thoughts.
Kevin Ballard
kevin at sb.org
Mon Sep 26 04:03:15 EDT 2005
On Sep 26, 2005, at 3:48 AM, Daniel Sheppard wrote:
> I was having a play with mousecommand to have a go at some way of
> downloading the commands from the web (tossing up between having
> user.cmd.rb or using a microformat), and realised that I could do
> this:
>
> http://localhost:37004/cmd/save/monkey/?content=p
> +nil&author=YourMomma&d
> oc=%3Cscript%3Ealert(%22code+injection%22)%3C%2Fscript%3E
>
> Put a form in a remote site that posts to that address and have some
> javascript submit the form, add in some javascript in the doc
> section to
> redirect the user somewhere else and bam, you've replaced one of their
> commands.
>
> Might add a check to the save command to make sure that the
> referrer is
> local - can the referrer string be modified in javascript? Also,
> should
> probably modify the doc section to escape html.
It would probably be more secure to simply add an opaque UUID to
mousecommand (that it auto-generates, say, each time you run
MouseHole) and you can only edit commands if the opaque UUID is
passed along with the other arguments.
--
Kevin Ballard
kevin at sb.org
http://www.tildesoft.com
http://kevin.sb.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2378 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/mousehole-scripters/attachments/20050926/2733f0c2/smime.bin
More information about the Mousehole-scripters
mailing list