<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.6944.0">
<TITLE>MouseCommand security/feature thoughts.</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">I was having a play with mousecommand to have a go at some way of downloading the commands from the web (tossing up between having user.cmd.rb or using a microformat), and realised that I could do this:</FONT></P>
<P><A HREF="http://localhost:37004/cmd/save/monkey/?content=p+nil&author=YourMomma&doc=%3Cscript%3Ealert(%22code+injection%22)%3C%2Fscript%3E"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">http://localhost:37004/cmd/save/monkey/?content=p+nil&author=YourMomma&doc=%3Cscript%3Ealert(%22code+injection%22)%3C%2Fscript%3E</FONT></U></A></P>
<P><FONT SIZE=2 FACE="Arial">Put a form in a remote site that posts to that address and have some javascript submit the form, add in some javascript in the doc section to redirect the user somewhere else and bam, you've replaced one of their commands.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Might add a check to the save command to make sure that the referrer is local - can the referrer string be modified in javascript? Also, should probably modify the doc section to escape html.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Also, once I figure out what I'm doing with downloading commands, I'm also considering modifying mousecommand to either:</FONT></P>
<P><FONT SIZE=2 FACE="Arial">1) make a list of commands that will be redirected through yubnub for processing (probably wont do this, as there's not much use if I do the other two below), or have an option to just do this by default with unknown commands.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">2) import commands from yubnub (either convert them to ruby, or allow the writing of yubnub("yubnub commands") into mousehole (which will either go run it through yubnub, or do it locally - not sure yet).</FONT></P>
<P><FONT SIZE=2 FACE="Arial"> - additionally, change the new command to check for, grab and convert a yubnub command and enter that in as the default values for a new command.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">3) duplicating yubnub's method of chaining commands (with the curly brackets).</FONT>
</P>
<BR>
<DIV>#####################################################################################</DIV>
<DIV>This email has been scanned by MailMarshal, an email content filter. </DIV>
<DIV>#####################################################################################</DIV>
</BODY>
</HTML>