random bits from the weekend
Jul. 25th, 2004 10:42 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
cellio(Noted in passing: fourth season of West Wing in September; second season of Blake's 7 allegedly in October.)
I sometimes wonder about the security implications of the quizzes and other memes that run around LJ. Consider: your passowrd is (I think) stored in a cookie. You follow a link while reading your friends page (so you're probably logged in) to some unvouched-for site where you give your user name as part of getting some bit of content to post in your journal. I don't know a lot about cookies, but isn't it fairly straightforward for a malicious meme-writer to harvest your password that way? I try to never fill those things out while logged in, personally. (Yes, I do sometimes fill them out, out of curiosity -- the ones that are likely to have interesting content, like the mind map and the friends-list-evaluation ones, not the "what kind of eggplant are you?" ones.)
The two instances of Giant Eagle that I shop at seem to have both stopped carrying my cats' favorite food (Tender Vittles). While googling to try to find out if the product had been discontinued (no one at the store seemed to know anything), I found a place where I can mail-order it by the case for about what I normally pay for it. Ok, that works. Gee, I wonder if I can mail-order the cat litter under similar circumstances, rather than shlepping it home from the store myself? I'll have to try that.
This afternoon I attended a bridal shower for a friend. I so do not know how to be a girly girl. :-) It was a fun time, but there was a lot more estrogen in the air than I'm used to.
(no subject)
Date: 2004-07-26 06:22 am (UTC)It can fetch a document in any of several ways, including creating or hijacking a (possibly invisible, at least in some browsers) frame and loading it with the document; it can generate document content on the fly by assigning literal text to the "document" attribute of a frame or to HTML blocks within it; it can POST forms in loaded documents. Combine these, and malicious JS can retrieve a private entry, then POST it to a waiting site. This is the basis of "cross-site scripting" (XSS) exploits.
There are limits to what can be done via XSS, since browsers do in general try to limit the ability of frames associated with different sites to pass information between each other, but I believe it's not fixable in the general case (at least, not while sites expect to be able to load other sites in frames so they can provide their own navigation mechanisms). In particular, XSS subverts IE's attempt to maintain "security zones" for different sites.
Supposedly not in Mozilla; in IE, there were (now patched) historically several ways to do it, some of which periodically get regressed (like embedding a control character in the URL, %00 and %01 having been especially troublesome in the past). Recently some malware sites actually managed to overlay an authentic-looking replacement location bar which showed whatever they wanted it to.
JavaScript essentially is not sandboxed (at least in IE) and has access to pretty much everything in the browser; while it in and of itself may not have commands to perform arbitrary actions, it can command the browser to do anything and it can invoke other mechanisms (Java, VBScript, ActiveX controls, ...) that may be available to the browser.