Re: File Selection with HTML from Kevin Hanna on 2003-04-29 (www-html@w3.org from April 2003)

From: Kevin Hanna <kevin@hanna.net>
Date: Mon, 28 Apr 2003 23:13:29 -0400
To: Joris Huizer <joris_huizer@yahoo.com>
CC: "'www-html@w3.org'" <www-html@w3.org>
Message-ID: <3EADEDD9.1040000@hanna.net>

Joris,

That savety is FAR from ridiculous.  If a cracker where to get their 
grubby hands on your encrypted passwords.  It could easily take less 
than a minute to crack them using a dictionary attack.  If the 
dictionary attack didn't work it could still take less than a day and 
likely not more than 2 days.

Operating systems have a default location for storing the passwords (and 
other relevant information).  Browsers tell the web server which 
operating system is being used.  So figuring out EXACTLY what file(s) to 
grab requires no guess work.  If somebody with super user privileges 
were to open a page that exploited that savety.  They could easily have 
most of the passwords to that system in less than a couple days.

The trick is operating systems encapsulate that information fairly well 
and exercise restrictions on how often or frequently a "user" can make 
login attempts.  For instance most network operating systems allow you 
to restrict a users to X number of failed logins or require X number of 
seconds to pass before another login attempt.  Which means a cracker can 
make a total of say 3 attempts before the account is locked, or they 
would have to wait possibly 3 seconds before they could make a second, 
third... attempt which means it would take them about 3 million times 
longer to use the dictionary attack.

Cheers,
Kevin Hanna

Joris Huizer wrote:

>This is a savety problem. you could do
>  <input type="file" value="C:\secrets.txt"
>style="display:none">
>
>assuming a file in dos or windows on C:\secrets.txt -
>and a lack of true savety precautions on this file, I
>could upload you're secrets.
>
>
>Now I think this idea is ridiculous: this theory
>assumes a webdesigner would know EXACTLY where a file
>is - I think it's save to say such a file must be a
>system file. Even if you would know where passwords
>are stored, you can't get through encryption (unless
>we all are at great risc on the internet anyway)
>
>
>--- "Meyer, Stephen" <smeyer01@harris.com> wrote:
>  
>
>>Hello,
>>  I am having an issue with HTML file selection.  On
>>my page if a value that the
>>user selected is displayed in the file selection
>>text field and then a submit
>>button is selected the value disappears if the
>>submit had an error.  The html
>>page has text values and a file selection value that
>>are validated upon submit.
>>If the validation fails the page returns with an
>>error message.  All the text
>>values remain but the value in the file selection
>>text field is gone.  I can see
>>it in the 'VALUE=' field if I view the source code
>>but it does not display on
>>the page.  Has anyone ran across this issue before? 
>>It happens with IE 5.5 and
>>Netscape 4.77.  Any help is appreciated.
>> 
>>Steve Meyer
>>
>>    
>>
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Search - Faster. Easier. Bingo.
>http://search.yahoo.com
>  
>

Received on Monday, 28 April 2003 23:13:42 UTC