|
 |
diumenge, 8 / maig / 2005 |
[Secunia] Mozilla Firefox Two Vulnerabilities. De moment no hi ha cap pegat per a les mateixes.
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
Ara per ara la única solució és no permetre l'execució de JavaScript (actualització) o bé la funció d'instal·lació de software (Options -> Web Features -> «Allow web sites to install software»)
|
21:28 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
[News.com] Google search finds outage. El problema que vaig detectar aquesta matinada.
It was not a hacking or a security issue," Krane. He said the problem was related to the DNS (Domain Name System), which routes one's Internet protocol address to the appropriate Web site that the user wants to visit. If the DNS system goes down, Web pages requested usually do not appear or take a long time to load.
"Google's global properties were unavailable for a short period of time," Krane said. "We've remedied the problem and access to Google has been restored worldwide."
|
21:11 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
[Macworld UK] Apple pays no homage to Catalonia.
Apple has raised the ire of perhaps ten million Europeans - because it chose not to deliver Catalan localization within Mac OS X 'Tiger'.
The move means Apple has ignored a local campaign in the 68,730 square kilometre Catalan region, which extends across parts of Spain, France, Andorra and Italy. The language is spoken by over seven million and understood by ten million people.
|
16:03 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
 Ping Tunnel és una aplicació que permet construir un túnel pel tràfic TCP dins d'un paquet ICMP. D'aquesta forma quan ens trobem en un lloc on hi ha un tallafocs que talla tot el tràfic però permet fer PING, amb Ping Tunnel podem saltar-nos aquesta restricció i passar virtualment qualsevol mena de tràfic basat en el protocol TCP.
Ptunnel is not a feature-rich tool by any means, but it does what it advertises. So here is what it can do:
- Tunnel TCP using ICMP echo request and reply packets
- Connections are reliable (lost packets are resent as necessary)
- Handles multiple connections
- Acceptable bandwidth (150 kb/s downstream and about 50 kb/s upstream are the currently measured maximas for one tunnel, but with tweaking this can be improved further)
- Authentication, to prevent just anyone from using your proxy
So what do you need for all this to work?
- One computer accessible on the internet that is not firewalled (or at least allows incoming ICMP packets)
- A computer to act as the client (this will usually be your laptop, on the go..)
- Root access, preferably on both computers
- A posix-compliant OS, with libpcap (for packet capturing)
As of version 0.60, Ping Tunnel supports authentication.
Ping Tunnel ha estat verificat amb Linux Fedora i Mac OS X. També hi ha un parell de ports no oficials per a Windows.
|
11:13 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
[The Math Club] Spam Clustering.
I took interest in the idea that spam could be clustered and identified by its inheirent grammar structure and n-gram frequency characteristics. I wrote a bunch of pretty crappy scripts and code to perform different types of analysis on the stuff and I have a bunch of notes on it too. As far as anything visually presentable, all I have is this.
The graph might look interesting, but it really doesnt give you too much information as what the hell is going on.
|
00:39 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
De l'Internet Storm Center, la controvèrsia sobre l'ús de Google Web Accelerator
I am personally concerned about the longer term effects of Google having access to every users' entire browsing session, as well as the effects it will have on site administrators in terms of access control and statistics gathering, and discussions have already been started on how to combat this global proxy, mostly by blocking IP ranges.
http://www.searchenginejournal.com/index.php?p=1676
(...)
From a users perspective, some folks have gone as far as classifying GWA as spyware, which has a very slight, if highly sarcastic, ring of truth to it. While GWA is not sneakily installed on your system without your knowledge, it does have the potential for collecting a vast array of information that end users may not wish to allow Google to have, regardless of their motives.
Users will have to ask themselves what they're trading in exchange for a global web caching solution, and decide if it is worth it or not. Of course, users have already had to make similar privacy vs. functionality decisions with gmail and the google toolbar.
|
00:28 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
© Copyright 2003-2005 Xavier Caballe.  . Si no s'indica expressament el contrari, el material publicat en aquest weblog es distribueix d'acord amb la llicència Creative Commons. El contingut és responsabilitat única i exclusivament del seu autor i no té cap relació amb les seves activitats professionals.
|
 |
 |
 |
 |
Contingut actualitzat
Categories
Darrers comentaris
Arxiu
Contingut antic
(ja no s'actualitza)
Versions anteriors
d'aquesta pàgina
|
 |
 |
 |
 |
|
